phplist

NOTE:: Before reporting an issue, make sure you are running the latest version, currently 3.3.1


View Issue Details Jump to Notes ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0017358phplist applicationMessage Send Processpublic05-09-14 16:3417-05-15 16:47
Reportermichiel 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version3.0.7 
Target Version3.1.XFixed in Version3.0.11 
Summary0017358: allow remote cron calls with secret
Description
As discussed in 0017316

The problem with having the login/password on the GET URL is that it increases the chance of it leaking. When it has leaked the attacker will have access to the entire system, which is not good.

I think I will resolve it as follows:

1. set a secret in the config that is used ONLY for the processqueue call.
2. allow calling the processqueue remotely, without login/password and with the secret.

That way, an attacker discovering the secret will only be able to run the queue, but will not have access to the rest of the system. If the queue running is invoked this way, we keep output to a minimum, to avoid leaking additional information to the attacker.
TagsConfiguration and sending
Attached Files

- Relationships
related to 0017316resolvedmichiel Processing the Queue via PHP-CGI cURL Broken in 3.0.7 

-  Notes
(0055730)
michiel (manager)
24-11-14 22:51

this has been implemented in the new version 3.1.0 which is a development version.

https://sourceforge.net/projects/phplist/files/phplist-development/3.1.0/ [^]

would be great if some people can have a play around with it.


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker