"phone home" issues and security

The existing version 3 of phplist has a somehow worrying issue. It "phones home" via several methods that can't be disabled via a config option.

The one that worries me most is the rss feed on the dashboard, which is a security risk. In the past, we've seen some serious exploits in the unserialize() function of PHP. Unfortunately, the rss on the phplist dashboard uses exactly that, to load remote memory arrays directly to the PHP interpreter.

This can be exploited by someone first getting access to the remote phplist server, or by using a man-in-the-middle attack (like DNS injection) to send a malicious string to thousands of phplist installations.

Since version 4 is still in development, I propose a few quick solutions to avoid any potential security issues in the future:

• Add a config parameter to disable the rss calls on the dashboard.
• Stop using unserialize(), instead use a proper XML or JSON reply from the phplist server and add some checks and limits on the strings contained within that reply.
• Verify the remote reply via secure keys or similar method, to make sure the reply is being generated by the phplist server.

Please let me know what you think about the issue.

Thank you.

[michield]

ok, sure, I will look into that. The RSS feature is the only "phone home" that currently can't be switched off. Can you point to the exploits that you refer to ? We can continue this in our issue tracker https://mantis.phplist.org/view.php?id=17908

[michield]

Looking into it, unserialize is only used when reading from cache, afaict, line 160. For the rest the RSS is parsed from XML. Does seem like the problem raised is not there.

First of all, thank you for your quick response, much appreciated.

About the "phone home", I see the script doing several remote calls that phone home. For example the fetching of https://www.phplist.com/files/tlds-alpha-by-domain.txt and another example is the version check every x number of days (which can increase but doesn't allow me to disable). Anyway, small issues.

My concern is mostly with the unserialize of the remote rss data. Yes the remote data are stored under the temporary directory and reloaded then unserialized. But it would be safer if you loaded/saved and stored just plain JSON/XML data, instead of PHP arrays. Much safer in my opinion.

[michield]

ah, sure the TLDS list. That's automated once every 6 months and otherwise manual. The version check is mostly for security. I think the danger of keeping old versions out there is bigger than the danger of the string being exploited. The data from RSS is all XML. Nevertheless, I understand your concerns.

[michield]

I'd be grateful if you can point to the exact locations in the code where you think the data should be handled differently. I've gone through it, and can't find a place where your concerns would be justified. That doesn't mean it isn't, just that I can't find it.