phplist

NOTE:: Before reporting an issue, make sure you are running the latest version, currently 3.3.1


View Issue Details Jump to Notes ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0018088phplist applicationMessage Managementpublic18-04-16 11:5419-04-16 12:04
Reportersdanisch 
PriorityurgentSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version3.2.4 
Target VersionFixed in Version3.2.5 
Summary0018088: Resending Campaign to "all lists" and "all public lists" ignores user permissions
DescriptionWhen choosing to resend an already finished campaign, checking either "all lists" or "all public lists" queues the campaign into all/all public system wide available subscriber lists, instead of limiting the user to his/her own lists.

That way, a user can unknowingly send a campaign to lists they have no rights to do so.
Steps To Reproduce1. Create admin with limited permissions (campaigns/subscribers)
2. Create subscriber list as new user
3. Create and send campaign to new list
4. Under "Campaigns - List Campaigns - Send", view the campaign
5. Under "Send this campaign to another list:" check "all"/"all public"
6. Resend
TagsNo tags attached.
Attached Fileszip file icon screenshots.zip [^] (110,464 bytes) 18-04-16 13:50

- Relationships

-  Notes
(0057618)
gingerling (administrator)
18-04-16 12:38

I agree, this is serious, will test it myself now
(0057620)
gingerling (administrator)
18-04-16 13:33

can't replicate it so far, but discussing it futher
(0057621)
sdanisch (reporter)
18-04-16 13:50

Added screenshots to show behavior. if you need any additional information, please let me know.
(0057624)
gingerling (administrator)
18-04-16 14:33

Ok, so I have found it's only lists created since the first campaign was sent - so your how to reproduce is very accurate. If I do resend and the lists are older than the mail, it does not send.
(0057625)
gingerling (administrator)
18-04-16 14:37

Though actually none of the subscribers received the mail on those lists - so many it's not so scary. I see you are in test mode, so I don't think you know if the mails were sent or not in your case?
(0057626)
sdanisch (reporter)
18-04-16 15:09

In our case the mail sadly was sent. That was what brought me to investigate in the first place. The screenshots were made afterwards on our test-server, on which the test mode is enabled.

After examining what the editor in question did, the described scenario was the most likely as it yielded the wrong settings.

I'll dig a bit deeper tomorrow and see if i can come up with any more information.
(0057634)
sdanisch (reporter)
19-04-16 06:20

I found the offending pieces of code in admin/message.php. Both queries lack the owner constraints.

A pull request with a suggested fix has been created at

https://github.com/phpList/phplist3/pull/58 [^]
(0057635)
gingerling (administrator)
19-04-16 09:02

awesome!
(0057640)
michiel (manager)
19-04-16 12:04

https://github.com/phpList/phplist3/pull/58 [^]


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker