Tracker emails contain HTTP links to tracker.pureos.net
Open, NormalPublic

Description

Emails sent from noreply@tracker.pureos.net contain HTTP links to tracker.pureos.net, thus vulnerable to MITM attacks when clicked.

Examples:

  1. in notifications of tasks:

TASK DETAIL
http://tracker.pureos.net/T118

EMAIL PREFERENCES
http://tracker.pureos.net/settings/panel/emailpreferences/

  1. in email verification link sent to new user that done registration.

Please verify that you own this email address (...........) by clicking this link: http://tracker.pureos.net/emailverify/xl............./

Fix:

Change settings in tracker to use HTTPS links instead of HTTP, probably can acomplished by:

  1. a restart by "phd restart" may fix it, in case it's happening due to caching? see at:

https://secure.phabricator.com/T10848 [Notification mails containing old links after changing phabricator.base-uri]

  1. The code path of first example use 'phabricator.production-uri' config to determinate the URI to use, so set it in configuration with https URI, which can be done by command:

./bin/config set phabricator.production-uri HTTPSURIVALUE
where HTTPSURIVALUE is result of ./bin/config get phabricator.base-uri

e3amn2l created this task.Sep 5 2018, 2:02 PM
e3amn2l edited the task description. (Show Details)Sep 5 2018, 2:09 PM

Add Comment