phpList 3.5.1 Released: Security Release

ARCHIVE

This release is a security release – you should upgrade as soon as possible.
This vulnerability is present in all versions before 3.5.1.

Fixes

This is a release to address a recently found vulnerability in the system that verifies a password when an administrator logs in. As a result, attackers can potentially gain access by using a carefully constructed, but incorrect, password.

The fix is provided by switching to using strict comparison ‘===’ on the Password validation line in this file.

If you are running on version 3.4.7 or later you can use the Automatic Updater to update your installation, or see the Download page 8 for full installation and upgrade instructions.

Community-made

We want to thank Suvadip Kar for reporting and submitting the fix for the issue.
To get involved in phpList development, check out the developer resources pages.

Report any issues you find with phpList 4 core or REST API  to the corresponding repo on GitHub. Please read the contribution guide on how to contribute to these modules.

Support

Need help upgrading your phpList server to the newest version? Ask the community at discuss.phplist.org. Professional support from community experts, as well as manuals, source code, and developer resources, can be found at phplist.org. Report all bugs to the bugtracker!

Want to focus on campaigns and forget hosting headaches? Sign up at phplist.com for an account with everything included. Send from 300 free messages to 30 million messages per month — simple.

 

Leave a Reply