NOTE:: Before reporting an issue, make sure you are running the latest version, currently 3.3.1

View Issue Details Jump to Notes ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0017356phplist applicationBounce Managementpublic05-09-14 15:4320-10-14 11:22
PlatformOSDebian WheezyOS Version7.5
Product Version3.0.7 
Target Version3.0.9Fixed in Version3.0.9 
Summary0017356: View bounces per list: normal admin can see bounces from other lists
DescriptionWith phpList versions 3.0.6 and 3.0.7, any normal (non-superuser) administrator can see the list the bouncing addresses of other administrator's lists via "View bounces per list". This can reveal addresses in other lists the admin shouldn't have access to: even if they are bouncing, names, domains or trivially fixable parts of addresses may give away lots of information. This is a very big privacy issue IMHO.
Steps To ReproduceLog in as a normal administrator and click on "View bounces per list" under the "Subscribers" menu. All lists having bounces are shown, even those of other admins, which is a privacy issue by itself. Then click on a list: bouncing addresses are directly available.
TagsNo tags attached.
Attached Filesdiff file icon listbounces.php.diff [^] (2,115 bytes) 08-09-14 12:07 [Show Content]

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
michiel (manager)
05-09-14 21:33

Hmm, if you need that much security, you'd be better of splitting it into different systems. The inter-admin security is not one of my main concerns. There should be a certain element of trust between them. It's mostly about workflow and segmentation, not security.

Also, bounced addresses are supposedly incorrect anyway, so that's not such a big deal. Targetting it for future research and review.
ivilata (reporter)
08-09-14 09:58

That's really bad bad news for us. I saw no mention to the security vs workflow issue in phpList's web pages, so that led me to assume the different admins were independent, but even if we leave that aside and we stick to workflow, I see no point in cluttering one admin's views of lists and bounces with information from other admin's lists, so avoiding them would make it more clear and less confusing.
ivilata (reporter)
08-09-14 12:10

I attached an emergency patch to listbounces.php (somehow based on members.php) that checks access before showing the bouncing addresses of a single list when a list ID is specified, and otherwise only shows the lists the logged in admin is owner of (superusers can see all lists).
michiel (manager)
08-09-14 20:21

Ah, sure, I agree that for workflow you do not want to clutter the interface with unnecessary information.

Thanks for the patch. Any chance to make it a github pull request? That really help applying it. If not, I can try to find some time to apply the patch.
michiel (manager)
08-09-14 20:24

Forget the last request. I applied the patch, and it works fine. I'll run some tests, to see if it does as it says and then commit it.
ivilata (reporter)
09-09-14 09:14

Nice, thanks a lot!
michiel (manager)
09-09-14 17:49

also applied it to the dropdown selection of lists. [^]
ivilata (reporter)
20-10-14 11:22

Checked to work in 3.0.9, thanks!

Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker