Hello All,

A new version of phplist is out. This release focusses on security issues, particularly a few that have been found by Michael Stenitzer, Marshall Roch and Tobias Klein

The most vulnerable issue is that personal user information can be found when guessing someone's email. If your system is set up not to ask for a password to enter the "preferences" page, it is possible to retrieve the personal information. This is the default setting for phplist, so it is highly recommended to upgrade to this version to close that loophole.

Downloads at http://www.phplist.com/files/
Release notes at http://tincan.co.uk/releasenotes/

Other security issues are not vulnerable to exploits by unknown strangers, but they do cause inter-admin insecurity, which would for! example allow a "sub admin" to discover the login details of a "super admin" and allow them to gain more privileges than assigned to them. They would have to use "Cross Site scripting" methods to do so.

I want to thank everyone for the overwhelming response after the last release. My request to have some nice remarks on Freshmeat resulted in a large amount of positive comments on the Freshmeat site. I wonder what else I can ask you all to do

One last thing, if you live in Argentina, and you work with phplist, drop me a line, so we can meet up. I'm interested to meet people in Argentina to discuss loads of options and ideas.

Thanks

Michiel