View Issue Details

IDProjectCategoryView StatusLast Update
0010998phpList 3 applicationInstallationpublic06-07-10 00:47
Reporterh2b2 
PrioritynormalSeverityfeatureReproducibilityalways
Status newResolutionopen 
Product Version2.10.4 
Target VersionFixed in Version 
Summary0010998: Enhance security
DescriptionPlacing the config dir -and if possible the whole admin dir- beneath the root dir would substantially enhance security. This is relevant because a number of users mentioned having deleted the .htaccess files that protect these key directories and/or changing permissions, leaving them completely exposed. While most users do not make this kind of error and know how to protect key directories, it seems a a good idea to reduce risks for unexperienced users.

Additionally it might be a good idea to extend the possibility of encrypting passwords (now only for list list users) to admins.
Ref: http://forums.phplist.com/viewtopic.php?t=11232
Additional InformationRelated to:
http://mantis.phplist.com/view.php?id=5434
http://mantis.phplist.com/view.php?id=9937

See also these forum threads/posts:
http://forums.phplist.com/viewtopic.php?t=11232
http://forums.phplist.com/viewtopic.php?p=29783#29783
http://forums.phplist.com/viewtopic.php?p=33930#33930
http://forums.phplist.com/viewtopic.php?p=32859#32859



TagsNo tags attached.

Relationships

parent of 0012822 resolveduser4377 Database stores passwords in plain text 
parent of 0011841 resolveduser1822 Use of MD5 
parent of 0005434 closed PHPSuExec compatability and htaccess 
parent of 0009937 resolvedmichiel Internal Server Error (.htaccess file problems with Apache configurations) 
parent of 0001821 resolvedmichiel If you change the admin directory, pages stop working 
parent of 0015405 closed Security issue with Version Number and Possible Probe 
parent of 0015342 new Password field does not have autocomplete explicitly set 
parent of 0015343 closed Directory Listing - application can prevent 
parent of 0015029 resolvedmichiel Identical Cookies allow login to multiple installations 
parent of 0000103 newmichiel non-superuser admins view all events 
parent of 0015547 resolvedmichiel Setting secure cookies to true with phpList in subdomain causes session problem. 
Not all the children of this issue are yet resolved or closed.

Activities

h2b2

09-04-09 07:59

manager   ~0050619

A related feature request:

==== START QUOTE ====

Option to Easily Park Non-view Scripts Outside Public Root

Ideally non-view scripts (config's, batch, or processing) should reside outside the public root in case PHP fails to parse them and they're exposed or executed out of context.

SMF has a config option which indicates where the sources are located. It can be changed to match a non-standard location such as one outside the web root (before public_html, inetpub, etc.).

As it is one must alter the Phplist source to safely relocate such code.

==== END QUOTE ====
ref: http://forums.phplist.com/viewtopic.php?p=61467#p61467