Make WordPress Core

Opened 15 years ago

Closed 10 years ago

#10268 closed defect (bug) (invalid)

Profile and Edit user pages should be secure too

Reported by: denis-de-bernardy's profile Denis-de-Bernardy Owned by: ryan's profile ryan
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch
Focuses: Cc:

Description

With admin_ssl off, and login_ssl on, the profile page ends up insecure. It should at least send its POST request over SSL, since a new password might be set.

And possibly use a secure form as well (see #10267).

Attachments (1)

10268.diff (1.4 KB) - added by Denis-de-Bernardy 15 years ago.

Download all attachments as: .zip

Change History (9)

#1 @Denis-de-Bernardy
15 years ago

see also #10268 regarding the profile page.

#2 @Denis-de-Bernardy
15 years ago

  • Keywords has-patch added

#4 @ryan
15 years ago

  • Milestone changed from 2.8.1 to 2.9

#5 @azaozz
15 years ago

  • Milestone changed from 2.9 to 3.0

Perhaps this should be handled in auth_redirect() which is called from admin.php.

#6 @nacin
14 years ago

  • Milestone changed from 3.0 to 3.1

#7 @nacin
14 years ago

  • Milestone changed from Awaiting Triage to Future Release

#8 @nacin
10 years ago

  • Milestone Future Release deleted
  • Resolution set to invalid
  • Status changed from new to closed

Rendered unnecessary via #10267.

Note: See TracTickets for help on using tickets.