View Issue Details

IDProjectCategoryView StatusLast Update
0002574phpList 3 applicationAdmin Managementpublic18-02-05 16:39
Reporterniclas Assigned To 
Status resolvedResolutionno change required 
Product Version2.9.3 
Summary0002574: Administrator Users (security hole?!)

in the actual and some older versions of phplis newsletter software ( there are standart users (listadmin, listadmin2, listadmin3) with the password "password".

When you search for "powered by phplist" with google you can log in to some big sites with big newsletters. (Tested with - Germany)

When you are logged in as listadmin you can type in urls like

to see every users information. Also you can change the users details!

I think you can do more shit with this listadmin account - but i don't have any time to test it!

Dear Developers, please remove this standart accounts - many users don't look in there database!!!!!!
Additional InformationOne minute ago I downloaded phplist 2.9.3 again to check the sql file again:


INSERT INTO phplist_admin VALUES (1,'admin','admin','','2002-05-24 16:06:33',20020524160633,'','phplist','2002-05-24',1,0);
INSERT INTO phplist_admin VALUES (2,'listadmin','listadmin','','2002-05-31 10:37:15',20020531111727,'listadmin','password','0000-00-00',0,0);
INSERT INTO phplist_admin VALUES (3,'listadmin2','listadmin2','','2002-05-31 10:40:12',20020531104012,'admin','password','0000-00-00',0,0);
INSERT INTO phplist_admin VALUES (4,'listadmin3','listadmin3','','2002-05-31 11:05:22',20020531110522,'admin','password','0000-00-00',0,0);

TagsNo tags attached.


child of 0002456 resolvedmichiel PHPList v2.9.4 release 



10-02-05 03:51

manager   ~0003450

It would be best to remove the listadmin accounts from the SQL file leaving just the basic admin one.


11-02-05 03:52

manager   ~0003471

Michiel, please remove the SQL INSERT lines 51, 52 and 53 from phplist.sql in CVS, and any other records related to them. Thanks.



11-02-05 04:04

manager   ~0003472

After checking through the rest of the code I don't see any other references to default listadmins. I think it is fairly safe.



18-02-05 16:39

administrator   ~0003574

the Sql file is only for initialising the demo, and should not be used for installation. In the demo, it is useful to show multiple admins, but all information is publicly available anyway, so there's no security issue.