Skip to content

"phone home" issues and security #10

@ghost

Description

The existing version 3 of phplist has a somehow worrying issue. It "phones home" via several methods that can't be disabled via a config option.

The one that worries me most is the rss feed on the dashboard, which is a security risk. In the past, we've seen some serious exploits in the unserialize() function of PHP. Unfortunately, the rss on the phplist dashboard uses exactly that, to load remote memory arrays directly to the PHP interpreter.

This can be exploited by someone first getting access to the remote phplist server, or by using a man-in-the-middle attack (like DNS injection) to send a malicious string to thousands of phplist installations.

Since version 4 is still in development, I propose a few quick solutions to avoid any potential security issues in the future:

  • Add a config parameter to disable the rss calls on the dashboard.
  • Stop using unserialize(), instead use a proper XML or JSON reply from the phplist server and add some checks and limits on the strings contained within that reply.
  • Verify the remote reply via secure keys or similar method, to make sure the reply is being generated by the phplist server.

Please let me know what you think about the issue.

Thank you.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions