phpList 3.5.1 Released: Security Release

This release is a security release – you should upgrade as soon as possible.

This is a release to address a recently found vulnerability in the system that verifies a password when an administrator logs in. As a result, attackers can potentially gain access by using a carefully constructed, but incorrect, password.

This vulnerability is present in all versions before 3.5.1.

We have released version 3.5.1 which fixes this issue. Everyone using a version before 3.5.1 is strongly recommended to upgrade.

If you are running on version 3.4.7 or later you can use the Automatic Updater to update your installation, or see the Download page for full installation and upgrade instructions.

All phpList hosted customers have been patched for this vulnerability.

We want to thank Suvadip Kar for reporting and submitting the fix for the issue.

2 Likes

Great! thank to @Suela but tried to find a list of all “modified” files without succes

Do you know if it’s available (from 3.5.0 to 3.5.1)

Hi @Jessie

The fix is provided by switching to using strict comparison ‘===’ on the Password validation line in the following file:

1 Like

Also, the subset of passwords affected by using “==” instead of “===” are those on which the password hashes begin with 0e followed by exclusively numerical characters.

Suela.

2 Likes

Hi thanks to @Suela for this reply then found this updated file from here

wow! I wish I had found this forum post before I started the long and tedious process of uploading the 12,000 PHPlist files to my server.
It would be nice if we could just have ‘a patch’ in cases like this…

Hi @mikerotec that is why :wink: I 'd asked if so many files must be updated in order to upgrade to 3.5.1 (from 3.5.0)
PS: Tried to find a listing of all “necessary” files for basic usage but none at this point!

I don’t really see the issue, takes about 10 minutes to update when done manually…

@alex01 in order to save the mother earth resources!

and :wink: updated version number in database (table: phplist_config) & uploaded the following files: init.php & structure.php (admin subfolder)

May be more to do? I don’t know…

Try using SFTP, rsync, or the automatic updater to make such upgrades more convenient.

The automatic updater was deprecated, wasn’t it??? It’s not included in the latest version…

I do use SFTP and it’s still pretty tedious. :roll_eyes: Not sure I can set up rsync in this case

It’s really odd that the latest release the automatic updater is showing is 3.5.0.

Hello, can you please try again (make sure you are starting fresh by removing the actions.txt file in the /Config folder). I can’t replicate that in my installation and can confirm the version in the server is 3.5.1.

Hmm, NO it is not deprecated and it is included on the latest version. Can you please check on why would that be with your installation?
Thanks

The automatic updater shows version 3.5.1. The phpList Community News in the dashboard does not. I actually did not try the automatic updater earlier because I assumed that the news and the updater are in sync. I’ve cleared my browser cache, just in case.

Oh, now that bit is actually updated directly from the phplist.org website and usually every release notification is shared so, I understand the confusion. You should be able to see the post about that release too now.

Thanks,
Suela.

FYR, this is release fixes CVE-2020-8547

This is getting off-topic, but fwiw before wpcli, I would usually update my wordpress installs using svn sw. Would it be possible to update phpList’s files with a single carefully written git clone against some tagged version?

@maltfield it seems done for now…

The fix is provided by switching to using strict comparison ‘===’ on the Password validation line in this file.