We have released a new stable version of phpList, version 2.10.13. This version is a further update on security, removing a few potential security vulnerabilities and further hardening the application against malicious attacks.
We have not heard of any instances where these vulnerabilities have been exploited, and we hope it stays that way.
To upgrade do the following:
1. copy your config.php file to a safe place
2. make a backup of your database (just in case)
3. FTP all files in the "lists" folder of the file you download and overwrite the existing "lists" folder of your phpList installation
4. copy the config.php file from step 1 back to the lists/config folder
5. go to your phpList "admin" page. It will tell you your Database version is out of date.
6. click the "upgrade" link and wait until the page has finished loading
7. Now you're all done and running from the new version.
This version adds two verification checks when using the administrative side.
1. A token is created for forms, and verified when adding or editing administrators. This is to avoid so called Cross Site Request Forgery, CSRF that could be used by a malicious website to create an administrator in your phpList installation.
This type of attack is complex to set up, but nevertheless possible. In order to be able to exploit this vulnerability the attacker needs to know the location of your phpList installation, you need to be logged in to phpList and the attacker then needs to lure you into visiting a specially crafted webpage that can activate the attack. It is therefore recommended to always actively logout from phpList when you are finished doing what you wanted to do, and not to visit any other websites while you are logged into phpList.
2. Each request in the admin section is verified to check that the referrer is correct. This is not a failsafe protection, but it can contribute to the security.
In order to activate the check, you need to change or add the configuration:
define("CHECK_REFERRER",true);However, this has not been tested thoroughly on all systems, so if you find you get "Access denied" when using phpList, you can add the following line in your config file to switch off this check:
If you want to whitelist certain domains being the referrer for your installation, you can do so with the configuration:
$allowed_referrers = array();
$allowed_referrers = array('www.phplist.com','www.google.com');