Featured Articles

Crowdfunding on Crowd Supply (Review of my experience)
Hardening Guide for phpList
Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)
Continuous Documentation: Hosting Read the Docs on GitHub Pages (2/2)
Detecting (Malicious) Unicode in GitHub PRs
WordPress Profiling with XHProf (Debugging & Optimizing Speed)
Trusted Boot (Anti-Evil-Maid, Heads, and PureBoot)
Introducing BusKill: A Kill Cord for your Laptop
WordPress Multisite on the Darknet (Mercator .onion alias)
previous arrow
next arrow

Hardening Guide for phpList

By Michael Altfield, on February 14th, 2020
phpList Hardening Guide Featured Image

This post will outline recommended steps to harden phpList after install to make it reasonably secure.

phpList is the most popular open-source software for managing mailing lists. Like wordpress, they have a phplist.com for paid hosting services and phplist.org for free self-hosting.

Earlier this week, it was announced that phpList had a critical security vulnerability permitting an attacker to bypass authentication and login as an administrator using an incorrect & carefully-crafted password in some cases. This bug is a result of the fact that [a] PHP is a loosely typed language and [b] the phpList team was using the '==' operator to test for equality of the user's hashed password against the DB. This security pitfall has been known in PHP since at least 2010 (a decade ago!), but I'm sure the same mistake will be made again..

Indeed, security is porous. There's no such thing as 100% vulnerability-free code, and phpList is no exception. But if we're careful in adding layers of security to our infrastructure, then we might be able to protect ourselves from certain 0-days.

That said, here's my recommended steps to making your phpList install reasonably secure.

Michael Altfield

Hi, I’m Michael Altfield. I write articles
. . . → Read More: Hardening Guide for phpList

5 comments  

Detect outgoing port blocking with nmap and portquiz.net

By Michael Altfield, on July 3rd, 2018

This post will describe how to detect if your network is blocking outgoing ports. In this test, we'll be using nmap and the fine website portquiz.net

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Detect outgoing port blocking with nmap and portquiz.net

One comment  

Resolved: OpenVPN

By Michael Altfield, on January 25th, 2009

Jesus. It's only the second week of school and I've already pulled my first all-nighter. This time, however, it was not for school. I was determined to get my OpenVPN server properly setup so that I could finally browse the web securely from the dorms. I only expected this to take a few minutes, but I ended up spending over 7 hours of research, troubleshooting, and configuration changes.

This post will contain a slew of information about smoothwall, zerina, openvpn, and iptables. I'm mostly just going to throw all of my findings here without much of any logical flow.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Resolved: OpenVPN

One comment