tincan logo webbler PHPlist client area latest news contact us
our company
our work
webbler
PHPlist
services
 search
 

phplist : Security Announcement
 
Date: April 11th 2006

A new security issue has been discovered in phplist.

Not all installations are vulnerable, but you are vulnerable if:

- you have "register_globals" ON in your PHP settings
- you use PHP 4 that is older than version 4.4.1
- or you use PHP 5 that is older than version 5.1.0

If you are vulnerable, you can fix the issue by upgrading your PHP version. If that is not possible, you can also prevent abuse by making the following changes to your config file:

change the line (somewhere on top of the config file)
$language_module = "english.inc";
to
$GLOBALS['language_module'] = "english.inc";

and the line (somewhere at the end of the config file)
$database_module = "mysql.inc";
to
$GLOBALS['database_module']= "mysql.inc";


You can read more about it here:
www.securityfocus.com/bid/17429

where there is also a script that you can use to test if you are vulnerable.

The vulnerability is caused by an old vulnerability in PHP, which has been fixed in the PHP versions mentioned above. You can read more on that vulnerability here:
www.hardened-php.net/globals-problem

Please be aware that this script is now also available to other people who might want to use it for illegal purposes. This issue has been reported to us and to the security community in a very irresponsible way, which has not given us sufficient time to respond and inform the phplist users. The "test script" is now out in the wild, and may soon be found in worms and other probing scripts that scan the internet for vulnerable websites.

Date: November 5th 2003

Recently two vulnerabilities have been found in older versions of PHPlist. Everyone is urgently advised to upgrade to the latest release.

Affected Versions: any version before 2.6.4

The first vulnerability allows anyone to access the details of your users. This causes a breach of privacy as well as can be exploited by originators of unsolicited emails.

The second vulnerability allows remote attackers to execute arbitrary commands on the server PHPlist is hosted on. This is a major security breach and should be avoided at all cost. This vulnerability can be avoided by adding the following content in a file called ".htaccess" in the admin directory of PHPlist.

<FilesMatch ".(php|inc)$">
Order allow,deny
deny from all
</FilesMatch>
<FilesMatch "index.php$">
Order allow,deny
allow from all
</FilesMatch>

SourceForge.net Logo
 
User tools
text only
font size: A A A
email to a friend
phplist
powered by: webbler & phplist
partners: Web Hosting UK Windows Hosting Web Hosting
Argentina Neo Liberalism Marcela Lopez Levy neo-liberalism and new forms of political action in Argentina