Opened 3 years ago

Closed 17 months ago

#5466 closed defect (fixed)

Security - wiki sign up email confirmation uses http links

Reported by: Terence Eden Owned by: Tigerfell
Priority: minor Milestone:
Component: wiki Version:
Keywords: Security, email Cc: tacsipacsi


New user signs up to edit the wiki.

Confirmation email sent to their email address.

Email contains links to rather than the https version.

While I'm sure the website automatically redirects, a malicious MITM could redirect the user before that happens.

Hopefully a simple configuration change.

Attachments (1)

Screenshot_20170819-175941.jpg (121.6 KB) - added by Terence Eden 3 years ago.
Screenshot of the confirmation email

Download all attachments as: .zip

Change History (4)

Changed 3 years ago by Terence Eden

Screenshot of the confirmation email

comment:1 Changed 3 years ago by tacsipacsi

Cc: tacsipacsi added

The wiki does not redirect, at least not for watchlist notification emails. (Unless you check the appropriate option in your preferences, but a new user won’t have that checked.) $wgServer should be changed from to in LocalSettings.php (I hope).

comment:2 Changed 17 months ago by Tigerfell

Owner: changed from Grant Slater to Tigerfell
Status: newaccepted

Thanks for the suggestion @tacsipacsi. We did it slightly differently now. Link to the change in our GitHub? repo:

comment:3 Changed 17 months ago by Tigerfell

Resolution: fixed
Status: acceptedclosed
Note: See TracTickets for help on using tickets.