-
Notifications
You must be signed in to change notification settings - Fork 30

Description
The existing version 3 of phplist has a somehow worrying issue. It "phones home" via several methods that can't be disabled via a config option.
The one that worries me most is the rss feed on the dashboard, which is a security risk. In the past, we've seen some serious exploits in the unserialize() function of PHP. Unfortunately, the rss on the phplist dashboard uses exactly that, to load remote memory arrays directly to the PHP interpreter.
This can be exploited by someone first getting access to the remote phplist server, or by using a man-in-the-middle attack (like DNS injection) to send a malicious string to thousands of phplist installations.
Since version 4 is still in development, I propose a few quick solutions to avoid any potential security issues in the future:
- Add a config parameter to disable the rss calls on the dashboard.
- Stop using unserialize(), instead use a proper XML or JSON reply from the phplist server and add some checks and limits on the strings contained within that reply.
- Verify the remote reply via secure keys or similar method, to make sure the reply is being generated by the phplist server.
Please let me know what you think about the issue.
Thank you.