phpList 3.5.1 Released: Security Release

Suela · February 3, 2020, 1:36pm

This release is a security release – you should upgrade as soon as possible.

This is a release to address a recently found vulnerability in the system that verifies a password when an administrator logs in. As a result, attackers can potentially gain access by using a carefully constructed, but incorrect, password.

This vulnerability is present in all versions before 3.5.1.

We have released version 3.5.1 which fixes this issue. Everyone using a version before 3.5.1 is strongly recommended to upgrade.

If you are running on version 3.4.7 or later you can use the Automatic Updater to update your installation, or see the Download page for full installation and upgrade instructions.

All phpList hosted customers have been patched for this vulnerability.

We want to thank Suvadip Kar for reporting and submitting the fix for the issue.

Jessie · February 3, 2020, 6:09pm

Great! thank to @Suela but tried to find a list of all “modified” files without succes

Do you know if it’s available (from 3.5.0 to 3.5.1)

Suela · February 4, 2020, 1:11pm

Hi @Jessie

The fix is provided by switching to using strict comparison ‘===’ on the Password validation line in the following file:

github.com

phpList/phplist3/blob/master/public_html/lists/admin/phpListAdminAuthentication.php

<?php

class phpListAdminAuthentication
{
    public $name = 'Default phpList Authentication';
    public $version = 0.1;
    public $authors = 'Michiel Dethmers';
    public $description = 'Provides authentication to phpList using the internal phpList administration database';

    /**
     * validateLogin, verify that the login credentials are correct.
     *
     * @param string $login    the login field
     * @param string $password the password
     *
     * @return array
     *               index 0 -> false if login failed, index of the administrator if successful
     *               index 1 -> error message when login fails
     *
     * eg

This file has been truncated. show original

Suela · February 4, 2020, 1:20pm

Also, the subset of passwords affected by using “==” instead of “===” are those on which the password hashes begin with 0e followed by exclusively numerical characters.

Suela.

Jessie · February 4, 2020, 4:50pm

Hi thanks to @Suela for this reply then found this updated file from here

mikerotec · February 4, 2020, 6:05pm

wow! I wish I had found this forum post before I started the long and tedious process of uploading the 12,000 PHPlist files to my server.
It would be nice if we could just have ‘a patch’ in cases like this…

Jessie · February 5, 2020, 12:05am

Hi @mikerotec that is why I 'd asked if so many files must be updated in order to upgrade to 3.5.1 (from 3.5.0)
PS: Tried to find a listing of all “necessary” files for basic usage but none at this point!

alex01 · February 5, 2020, 10:30am

I don’t really see the issue, takes about 10 minutes to update when done manually…

Jessie · February 8, 2020, 4:18pm

@alex01 in order to save the mother earth resources!

Jessie · February 8, 2020, 4:31pm

and updated version number in database (table: phplist_config) & uploaded the following files: init.php & structure.php (admin subfolder)

May be more to do? I don’t know…

samtuke · February 10, 2020, 9:37am

Try using SFTP, rsync, or the automatic updater to make such upgrades more convenient.

mikerotec · February 10, 2020, 4:54pm

The automatic updater was deprecated, wasn’t it??? It’s not included in the latest version…

I do use SFTP and it’s still pretty tedious. Not sure I can set up rsync in this case

veltsu · February 11, 2020, 7:06am

It’s really odd that the latest release the automatic updater is showing is 3.5.0.

Suela · February 11, 2020, 10:35am

Hello, can you please try again (make sure you are starting fresh by removing the actions.txt file in the /Config folder). I can’t replicate that in my installation and can confirm the version in the server is 3.5.1.

Suela · February 11, 2020, 10:39am

Hmm, NO it is not deprecated and it is included on the latest version. Can you please check on why would that be with your installation?
Thanks

veltsu · February 11, 2020, 9:46pm

The automatic updater shows version 3.5.1. The phpList Community News in the dashboard does not. I actually did not try the automatic updater earlier because I assumed that the news and the updater are in sync. I’ve cleared my browser cache, just in case.

Suela · February 12, 2020, 4:16pm

Oh, now that bit is actually updated directly from the phplist.org website and usually every release notification is shared so, I understand the confusion. You should be able to see the post about that release too now.

Thanks,
Suela.

maltfield · February 13, 2020, 2:50pm

FYR, this is release fixes CVE-2020-8547

https://nvd.nist.gov/vuln/detail/CVE-2020-8547

maltfield · February 13, 2020, 2:55pm

This is getting off-topic, but fwiw before wpcli, I would usually update my wordpress installs using svn sw. Would it be possible to update phpList’s files with a single carefully written git clone against some tagged version?

https://codex.wordpress.org/Installing/Updating_WordPress_with_Subversion

Jessie · February 13, 2020, 5:51pm

@maltfield it seems done for now…

The fix is provided by switching to using strict comparison ‘===’ on the Password validation line in this file.