Hardening Guide for phpList

phpList Hardening Guide Featured Image

This post will outline recommended steps to harden phpList after install to make it reasonably secure.

phpList is the most popular open-source software for managing mailing lists. Like wordpress, they have a phplist.com for paid hosting services and phplist.org for free self-hosting.

Earlier this week, it was announced that phpList had a critical security vulnerability permitting an attacker to bypass authentication and login as an administrator using an incorrect & carefully-crafted password in some cases. This bug is a result of the fact that [a] PHP is a loosely typed language and [b] the phpList team was using the '==' operator to test for equality of the user's hashed password against the DB. This security pitfall has been known in PHP since at least 2010 (a decade ago!), but I'm sure the same mistake will be made again..

Indeed, security is porous. There's no such thing as 100% vulnerability-free code, and phpList is no exception. But if we're careful in adding layers of security to our infrastructure, then we might be able to protect ourselves from certain 0-days.

That said, here's my recommended steps to making your phpList install reasonably secure.


. . . → Read More: Hardening Guide for phpList

Install "build-essential" on RHEL/CentOS and OpenSolaris

Debian

If you want to be able to compile packages in debain/ubunutu, you can issue the following command:

apt-get install build-essential

 

Red Hat

If you want to be able to compile packages in red hat/centos, you can issue the following command:

yum install make gcc gcc-c++ kernel-devel

...or, if you don't care about maintaining a small footprint, you can get *all* of the development packages (including X devs--eww):

yum groupinstall "Development Tools"

 

Open Solaris

If you want to be able to compile packages in open solaris, you can issue the following command:

pkg install SUNWgcc

Clone Xen RHEL5 (CentOS 5.2) VM

Hello world! I just updated my whole server environment and, my, things are looking good. Anyway, I had to run through these steps a half dozen times, so I thought I would post it here for myself and (maybe even) others.

Here's the commands I ran to turn a clone of my base RHEL5 (CentOS 5.2) Xen image into another working virtual machine on my RHEL5 (CentoOS 5.2) Xen Host: