Security Announcement

11 April 2006
A new security issue has been discovered in phplist.

Not all installations are vulnerable, but you are vulnerable if:

- you have "register_globals" ON in your PHP settings
- you use PHP 4 that is older than version 4.4.1
- or you use PHP 5 that is older than version 5.1.0
If you are vulnerable, you can fix the issue by upgrading your PHP version. If that is not possible, you can also prevent abuse by making the following changes to your config file:

change the line (somewhere on top of the config file)
$language_module = "english.inc";
to
$GLOBALS['language_module'] = "english.inc";

and the line (somewhere at the end of the config file)
$database_module = "mysql.inc";
to
$GLOBALS['database_module']= "mysql.inc";

You can read more about it here:
www.securityfocus.com/bid/17429

where there is also a script that you can use to test if you are vulnerable.

The vulnerability is caused by an old vulnerability in PHP, which has been fixed in the PHP versions mentioned above. You can read more on that vulnerability here:
www.hardened-php.net/globals-problem

Please be aware that this script is now also available to other people who might want to use it for illegal purposes. This issue has been reported to us and to the security community in a very irresponsible way, which has not given us sufficient time to respond and inform the phplist users. The "test script" is now out in the wild, and may soon be found in worms and other probing scripts that scan the internet for vulnerable websites.
BACK TO TOP