Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
Security issues around PHPlist.
November 2003
As any open source application, phpList can be thoroughly investigated by anyone who may
want to use it as a method to gain entry into a system they should not be able to get
access to. Even though the most care has been taken by the developers of phpList to avoid
this, there is no warranty that this may not happen.
As such, in the past, phpList has been used for this purpose, and from this we have learned
a few things. This document tries to outline as many efforts that can be taken as currently
known in order to make sure that your system is not compromised.
Some of these issues may not be available to all of you, as it depends on the way you have
hosted your phpList installation. It will not be necessary to use all of them, but using as
many as you can possibly achieve will increase the security of your system.
1. Subscribe to the announcements mailinglist. You can sign up at
This is very important, because any new vulnerability that is found will (hopefully) be reported to
the developers, in which case we will release a fix as soon as we can. We will then use the mailinglist to
tell everyone about this, so it is the primary source of information about new vulnerabilities.
2. Make sure the .htaccess files in the different directories of phpList (particularly "admin",
"commonlib" and others, are active. Some server settings do not allow overriding some of the
Apache directives we have put in there, which means the files are not parsed.
The access files are designed to only allow access to the "index.php" file in the admin
directory and nothing else. Particularly no php file should be accessible. Images and Stylesheets
may still be accessible.
Unfortunately some ISPs do not allow uploading .htaccess files via FTP, so this may not be
3. Add a password to your admin directory. You can use the example "htaccess" file and copy the
contents into the .htaccess file that is in the admin directory.
If you still want to use the "admin" system of your phpList installation, this would mean your
admins have to first enter into the system with a general password and then as a phpList admin.
4. Set "register globals" to be "off" in your php.ini file.
5. Run the website as an apache user who has no other permissions on your server, particularly
no write permissions in any of the documents of your website.
6. Change the admin password as soon as you have installed phpList.
7. Run your phpList installation on a server that has a firewall installed that only allows
the necessary services to be served.