[fixed] 1.10 Beta3: more unencrypted data with SSL admin
Posted: Wed Sep 21, 2011 11:18 am
I made a clean install of 1.10-beta3 on a server with it's own (non-shared) SSL cert. Next, I applied the patches described in this post: Re: CMSMS 1.10 Beta3 is available to track down other observed cases of unencrypted data being sent over the network during an SSL admin session. Here's a list of what I've found so far:
- I captured the headers from a page reload of the Extensions ยป MicroTiny WYSIWYG editor page and extracted a list of thirteen (unencrypted) http: URLs requested (see attached).
- It appears that MicroTiny init. code used by the backend during an SSL admin session also contains URLs based on $config['root_url'] rather than $config['ssl_url'].
Code: Select all
#grep http: /tmp/cache/mt_0f3d9d7e1635a606aa639e5d24f05R75b image : 'http://example.com/modules/MicroTiny/images/cmsmslink.gif', document_base_url : "http://example.com/", var cmsURL = "http://example.com/modules/MicroTiny/filepicker.php?_sx_=0ca14680&type="+type;
Code: Select all
$config['admin_url'] = 'https://example.org/my.admin';
$config['root_url'] = 'http://example.org';
$config['ssl_url'] = 'https://example.org';