Relationship Graph View Issue Dependency Graph
related to child of duplicate of

View Issue Details

IDProjectCategoryView StatusLast Update
0002574phpList 3 applicationAdmin Managementpublic18-02-05 16:39
Reporterniclas 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionno change required 
Product Version2.9.3 
Target VersionFixed in Version 
Summary0002574: Administrator Users (security hole?!)
DescriptionHello,

in the actual and some older versions of phplis newsletter software (www.phplist.com) there are standart users (listadmin, listadmin2, listadmin3) with the password "password".

When you search for "powered by phplist" with google you can log in to some big sites with big newsletters. (Tested with google.de - Germany)

When you are logged in as listadmin you can type in urls like http://www.yourdomain.com/phplist-path/admin/?page=user&start=0&id=1

to see every users information. Also you can change the users details!

I think you can do more shit with this listadmin account - but i don't have any time to test it!

Dear Developers, please remove this standart accounts - many users don't look in there database!!!!!!
Additional InformationOne minute ago I downloaded phplist 2.9.3 again to check the sql file again:

Code:

INSERT INTO phplist_admin VALUES (1,'admin','admin','','2002-05-24 16:06:33',20020524160633,'','phplist','2002-05-24',1,0);
INSERT INTO phplist_admin VALUES (2,'listadmin','listadmin','listadmin@phplist.com','2002-05-31 10:37:15',20020531111727,'listadmin','password','0000-00-00',0,0);
INSERT INTO phplist_admin VALUES (3,'listadmin2','listadmin2','lsitadmin2@phplist.com','2002-05-31 10:40:12',20020531104012,'admin','password','0000-00-00',0,0);
INSERT INTO phplist_admin VALUES (4,'listadmin3','listadmin3','','2002-05-31 11:05:22',20020531110522,'admin','password','0000-00-00',0,0);


HAVE A LOOK:
http://www.phplist.com/forums/viewtopic.php?p=7239#7239
TagsNo tags attached.

Activities

DamienMcKenna

10-02-05 03:51

manager   ~0003450

It would be best to remove the listadmin accounts from the SQL file leaving just the basic admin one.

DamienMcKenna

11-02-05 03:52

manager   ~0003471

Michiel, please remove the SQL INSERT lines 51, 52 and 53 from phplist.sql in CVS, and any other records related to them. Thanks.

Damien

DamienMcKenna

11-02-05 04:04

manager   ~0003472

After checking through the rest of the code I don't see any other references to default listadmins. I think it is fairly safe.

Damien

michiel

18-02-05 16:39

manager   ~0003574

the Sql file is only for initialising the demo, and should not be used for installation. In the demo, it is useful to show multiple admins, but all information is publicly available anyway, so there's no security issue.