View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0010998||phpList 3 application||Installation||public||10-08-07 02:07||06-07-10 00:47|
|Target Version||Fixed in Version|
|Summary||0010998: Enhance security|
|Description||Placing the config dir -and if possible the whole admin dir- beneath the root dir would substantially enhance security. This is relevant because a number of users mentioned having deleted the .htaccess files that protect these key directories and/or changing permissions, leaving them completely exposed. While most users do not make this kind of error and know how to protect key directories, it seems a a good idea to reduce risks for unexperienced users. |
Additionally it might be a good idea to extend the possibility of encrypting passwords (now only for list list users) to admins.
|Additional Information||Related to:|
See also these forum threads/posts:
|Tags||No tags attached.|
|parent of||0012822||resolved||Database stores passwords in plain text|
|parent of||0011841||resolved||Use of MD5|
|parent of||0005434||closed||PHPSuExec compatability and htaccess|
|parent of||0009937||resolved||michiel||Internal Server Error (.htaccess file problems with Apache configurations)|
|parent of||0001821||resolved||michiel||If you change the admin directory, pages stop working|
|parent of||0015405||closed||Security issue with Version Number and Possible Probe|
|parent of||0015342||new||Password field does not have autocomplete explicitly set|
|parent of||0015343||closed||Directory Listing - application can prevent|
|parent of||0015029||resolved||michiel||Identical Cookies allow login to multiple installations|
|parent of||0000103||new||michiel||non-superuser admins view all events|
|parent of||0015547||resolved||michiel||Setting secure cookies to true with phpList in subdomain causes session problem.|
|Not all the children of this issue are yet resolved or closed.|
A related feature request:
==== START QUOTE ====
Option to Easily Park Non-view Scripts Outside Public Root
Ideally non-view scripts (config's, batch, or processing) should reside outside the public root in case PHP fails to parse them and they're exposed or executed out of context.
SMF has a config option which indicates where the sources are located. It can be changed to match a non-standard location such as one outside the web root (before public_html, inetpub, etc.).
As it is one must alter the Phplist source to safely relocate such code.
==== END QUOTE ====