View Issue Details

IDProjectCategoryView StatusLast Update
0017358phplist applicationMessage Send Processpublic17-05-15 16:47
Reportermichiel 
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version3.0.7 
Target Version3.1.XFixed in Version3.0.11 
Summary0017358: allow remote cron calls with secret
Description
As discussed in 0017316

The problem with having the login/password on the GET URL is that it increases the chance of it leaking. When it has leaked the attacker will have access to the entire system, which is not good.

I think I will resolve it as follows:

1. set a secret in the config that is used ONLY for the processqueue call.
2. allow calling the processqueue remotely, without login/password and with the secret.

That way, an attacker discovering the secret will only be able to run the queue, but will not have access to the rest of the system. If the queue running is invoked this way, we keep output to a minimum, to avoid leaking additional information to the attacker.
TagsConfiguration and sending

Relationships

related to 0017316 resolvedmichiel Processing the Queue via PHP-CGI cURL Broken in 3.0.7 

Activities

michiel

24-11-14 22:51

manager   ~0055730

this has been implemented in the new version 3.1.0 which is a development version.

https://sourceforge.net/projects/phplist/files/phplist-development/3.1.0/

would be great if some people can have a play around with it.