"Fossies" - the Fresh Open Source Software Archive

Member "phplist-3.5.0/doc/README.security" (14 Jan 2020, 2646 Bytes) of package /linux/www/phplist-3.5.0.tgz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 
    2 Security issues around PHPlist.
    3 
    4 November 2003
    5 
    6 As any open source application, phpList can be thoroughly investigated by anyone who may
    7 want to use it as a method to gain entry into a system they should not be able to get
    8 access to. Even though the most care has been taken by the developers of phpList to avoid
    9 this, there is no warranty that this may not happen.
   10 
   11 As such, in the past, phpList has been used for this purpose, and from this we have learned
   12 a few things. This document tries to outline as many efforts that can be taken as currently
   13 known in order to make sure that your system is not compromised.
   14 
   15 Some of these issues may not be available to all of you, as it depends on the way you have
   16 hosted your phpList installation. It will not be necessary to use all of them, but using as
   17 many as you can possibly achieve will increase the security of your system.
   18 
   19 
   20 1. Subscribe to the announcements mailinglist. You can sign up at http://announce.hosted.phplist.com/
   21 This is very important, because any new vulnerability that is found will (hopefully) be reported to 
   22 the developers, in which case we will release a fix as soon as we can. We will then use the mailinglist to
   23 tell everyone about this, so it is the primary source of information about new vulnerabilities. 
   24 
   25 2. Make sure the .htaccess files in the different directories of phpList (particularly "admin",
   26 "commonlib" and others, are active. Some server settings do not allow overriding some of the 
   27 Apache directives we have put in there, which means the files are not parsed.
   28 
   29 The access files are designed to only allow access to the "index.php" file in the admin 
   30 directory and nothing else. Particularly no php file should be accessible. Images and Stylesheets
   31 may still be accessible.
   32 
   33 Unfortunately some ISPs do not allow uploading .htaccess files via FTP, so this may not be
   34 available.
   35 
   36 3. Add a password to your admin directory. You can use the example "htaccess" file and copy the
   37 contents into the .htaccess file that is in the admin directory.
   38 If you still want to use the "admin" system of your phpList installation, this would mean your
   39 admins have to first enter into the system with a general password and then as a phpList admin.
   40 
   41 4. Set "register globals" to be "off" in your php.ini file.
   42 
   43 5. Run the website as an apache user who has no other permissions on your server, particularly
   44 no write permissions in any of the documents of your website.
   45 
   46 6. Change the admin password as soon as you have installed phpList.
   47 
   48 7. Run your phpList installation on a server that has a firewall installed that only allows
   49 the necessary services to be served.
   50 
   51 
   52 
   53