This post will outline recommended steps to harden phpList after install to make it reasonably secure.
phpList is the most popular open-source software for managing mailing lists. Like wordpress, they have a phplist.com for paid hosting services and phplist.org for free self-hosting.
Earlier this week, it was announced that phpList had a critical security vulnerability permitting an attacker to bypass authentication and login as an administrator using an incorrect & carefully-crafted password in some cases. This bug is a result of the fact that [a] PHP is a loosely typed language and [b] the phpList team was using the ‘==‘ operator to test for equality of the user’s hashed password against the DB. This security pitfall has been known in PHP since at least 2010 (a decade ago!), but I’m sure the same mistake will be made again..
Indeed, security is porous. There’s no such thing as 100% vulnerability-free code, and phpList is no exception. But if we’re careful in adding layers of security to our infrastructure, then we might be able to protect ourselves from certain 0-days.
That said, here’s my recommended steps to making your phpList install reasonably secure.
About six months ago, I discovered something on my smartphone that horrified me: I went to undelete a file in DiskDigger, and I stumbled upon a plethora of unexpected jpegs: screenshots of my activity. Screenshots that I didn’t take. Screenshots of my conversations. Screenshots of my GPS position. And screenshots of my bitcoin wallet.
I was perplexed. I was astonished. And, to be honest, I was scared. How did this happen? Was it a vulnerability shipped with LineageOS? Could it be some malicious binary embedded into AOSP? Or is it some exploit in one of those damned closed-source apps that I was forced to install through social pressure (*cough* whatsapp)?
Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
In a given week, I touch maybe a half dozen different Operating Systems/Distributions. Some are similar to others (centos, rhel), some–not so much (solaris). The common commands are easy enough to remember ( @ls@ vs @dir@ ), but I always forget how to search through each OS’s package manager for a software package. For my reference (and perhaps yours?) here’s a list for each of the OSs’ package managers I use frequently:
yum – RHEL/CentOS
yum list
apt – Debian/Ubuntu
apt-cache search
pacman – Arch
pacman –sync –search pacman -Ss
portage – Gentoo
emerge –search # pkg names only emerge –searchdesc # pkg names & descriptions emerge -S # alias of –searchdesc
See Also: “Install ‘build-essential’ on RHEL/CentOS and OpenSolaris”:/wp/?p=231
Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
So, xen is really beginning to piss me off. I turned off all my machines to do a snapshot, and when I tried to bring them back up, they were all in the ‘blocked’ state. Upon further investigation (using virt-manager/xm console), I found that they were hung at the “Checking for hardware changes” item in their boot process. This could be a CentOS/RHEL 5 issue, but I’m putting my money on xen.
Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
Hello world! I just updated my whole server environment and, my, things are looking good. Anyway, I had to run through these steps a half dozen times, so I thought I would post it here for myself and (maybe even) others.
Here’s the commands I ran to turn a clone of my base RHEL5 (CentOS 5.2) Xen image into another working virtual machine on my RHEL5 (CentoOS 5.2) Xen Host:
Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
About Michael
tech.michaelaltfield.net/
Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡