Mantis - ISSUES

0015367: Command-line access control is insecure

In index.php, the USER environment variable is checked against the global $commandline_users to determine the process owner's access to invocation of PHPList scripts from the command line. This method is insecure as environment variables are easily spoofed.

If you really want to implement this type of access control, you can check for the process user with posix_getpwuid(posix_getuid()). However, these functions are only available through the POSIX extension which is not always loaded.

This access control seems unnecessary anyway, as POSIX permissions and ACLs are sufficient.

0015366: Add basic template ownership

This patch adds template ownership to phplist.
It means that each admin can create their own templates and one admin cannot see another admin's template.

I copy and paste in "Additional information" field the basic instructions on how to use it.

I am very interested in this patch becoming part of the official phplist.

So I am ready to correct it as many times as it is needed so that it fits the way that you want things to be coded or if it needs to be improved somehow or whatever.

I think I have done a great job because I have also coded the database upgrade part but it's up to you to judge my work so that we can improve it a lot better and add it to official phplist upstream code.

Thank you very much for your attention.

adrian15

0015283: v2.10.10: Date criteria does not work

Using Date attributes as criteria does not seem to work anymore.

This issue is reported by Aidan:
==== START QUOTE ====
On the Criteria tab, I try to add a criterion based on the date attribute - I choose the date attribute from the dropdown and enter the date in the format specified, dd-mm-yyyy, and click 'Add Criterion'. But it replaces the date I entered with 0. I get the message 'Adding Submission Date isbefore 0' and it adds a line to the 'Existing Criteria' table which also has '0' in the values column.

Running the Calculate function shows that this criterion has no effect on the number of results returned.
=== END QUOTE ===
Source: http://forums.phplist.com/viewtopic.php?f=17&t=24512#p61910 [^]

Issue confirmed on my installation too.

0015359: User Specific Authentication Pages Loose Formatting

when the phplis driven site directs a user to a user specific login page (one that needs a password) the formatting of the page becomes generic causing the user to think they have left the current site. This is causing some users to think they have been redirected under false pretenses. It happens when ever they are asked for their password.

There is a complete list of what has been found and done to this point at the following link in the forums

http://forums.phplist.com/viewtopic.php?f=17&t=28879 [^]

0015320: Unsubscription should only be possible by a subscriber himself and not by a third person

It's possible to unsubscribe somebody else just with the knowledge of his email address (e.g. with mydomain.com/lists/?unsubscribe). One does not have to know his personal preference/unsubscribe link. The unsubscribed user is _immediately_ put on the blacklist which is probably not what he want's to.

I think that this should not be possible. This is an inconsitent behaviour related to the procedure of suscribing where a confirmation mail is needed. Also, this is an security issue.

Unsubscribing should only be possible using one's personal preference link which is normally included in every mailing or which can be sent to the user by mail upon request. If the unsubscribe process should be possible using the unsubscribe link as described above (without any userid), there should be sent a confirmation link to the user.

This functionality should be provided without the need of enabling user passwords.

Thorsten

0015226: User updates preferrences and receives page error - Undefined Index & Variable (v.2.10.9)

Error page occurring when user follows link in received mail to update their details. The correct userid is parsed and the user's details displayed ready for ammendment but when these have been changed and the update button clicked the error page appears as described in additional information.

Observations:
User still receives the email notification of an update taking place with the new updated details.

The email being referred to as an undefined index relates to the senders email not the users or the noreply one used for system messages.

(Could not specify version in Product Version drop down as 2.10.9 not available for selection.)

0015365: Wrong description of MAILQUEUE_BATCH_PERIOD in config file

The description of MAILQUEUE_BATCH_PERIOD is wrong.

It says: "MAILQUEUE_BATCH_PERIOD define the length of one batch processing period, in seconds (3600 is an hour)"

This is not true. Instead, it defines the waiting time between two batches.

E.g., I am using the following settings:

define("MAILQUEUE_BATCH_SIZE",10);
define("MAILQUEUE_BATCH_PERIOD",1);

What happens is that I am sending 10 mails per batch and the web interface waits for 1 second before reloading and sending the next 100 mails.

Thorsten

0015363: addAbsoluteResources does not / or fails in matching schema

function: addAbsoluteResources (lib.php line 533)

the preg_match cannot match because "[x|y|z]" is used instead of "(x|y|z)"
AND
after this it matched (a failure) on links to if "http" are in the link anywhere.

Imagine link:
a href="/.bin/fwd.fcgi?http://www.b2b-deutschland.de/wirtschaftsnews/091110/duerftige-aussichten-fuer-arcandor-glaeubiger/index.php" [^]
It matched, but should not.

Result the url was not absolutized.

Attended result for website=www.b2b-deutschland.de should be:
a href="http://www.b2b-deutschland.de/.bin/fwd.fcgi?http://www.b2b-deutschland.de/wirtschaftsnews/091110/duerftige-aussichten-fuer-arcandor-glaeubiger/index.php" [^]

Patch:

0015364: minor issue with click tracking and anti-phishing software

many versions of anti-phishing , either plugins, or built into mail clients, or via anti-spam systems will see non-matching url's when the a href (the local, trackable url, the domain) doesn't match the one that you are actually directed to.

I would not having the 'visible' url be the same as the real url.

Without something, it makes phplist emails with click tracing on seem like spam or phishing emails.

worse yet, would be if the target url (original one) was https.

(reason I know alot about this, is we produce anti-spam products that include anti-phishing functions)

0015362: overall handling of charsets

You can enter bits of text at several locations, ranging from config file (plain text email user name) to configuration (database). At no point (it seems) the charset of user input is been checked or converted to UTF-8. You might end up with a mixture of Charsets, depending on the browser settings of the PHPList users.
Additionally PHPList does not send an content-type HTTP header containing charset information, which will produce bad output depending on the users browser settings. You really should send something like "content-type: text/plain; charset=utf-8".

0015361: Attribut value is not saved

Havingh set an own table prefix the value of an attribute of the type select is not saved on subscription.

The bug ist in "admin/commonlib/lib/userlib.php" from line 913 on.

WRONG:
$curval = Sql_Fetch_Row_Query(sprintf('select id from phplist_listattr_%s
where name = "%s"',$atttable,$data["displayvalue"]),1);
if (!$curval[0] && $data['displayvalue'] && $data['displayvalue'] != '') {
Sql_Query(sprintf('insert into phplist_listattr_%s (name) values("%s")',$atttable,
$data["displayvalue"]));

RIGHT:

$curval = Sql_Fetch_Row_Query(sprintf('select id from ' . $usertable_prefix . 'listattr_%s
where name = "%s"',$atttable,$data["displayvalue"]),1);
if (!$curval[0] && $data['displayvalue'] && $data['displayvalue'] != '') {
Sql_Query(sprintf('insert into ' . $usertable_prefix . 'listattr_%s (name) values("%s")',$atttable,
$data["displayvalue"]));

0015309: get blacklisted and see the html output when tring to subscribe

crash because its visible and customer in bad mood!

get blacklisted and see the html output when trying to subscribe to a list: dublicate html output. :-(
v2.10.10

0015357: Develope Swift mailer pluggin that would allow phplist message sending to increase exponentionaly!

Wants to find out where we are with possibly creating a swift mailer pluggin to be added to the defaiult phplist plugin. I have a dedicated server I can donate to development.

Swift mailer would allow load balancing between servers with phpmailer doesn't support. Load balancing would safely and effienctly increase phplist performance beyond 30,000 messages per hour. It may make things easier for those using shared hosting as well

Some of Swift Mailer Features:

* Send uses one single connection to the SMTP server or MTA
* Doesn't rely on mail()
* Custom Headers
* Multiple encoding options
* Unlimited redundant connections (can use mixed types too)
* Connection rotating/load balancing
* TLS Support - for Gmail servers
* Embedded Images or other file types
* Builds and sends Multipart messages
* Sends single-part emails as usual
* Fast Cc and Bcc handling
* Unicode UTF-8 support, with auto-detection
* Handles denied recipients in batch mailing whilst still delivering to the others
* Optional auto-detection of SMTP or Sendmail settings
* Batch emailing with multiple To's or without
* Send to hundreds of thousands of addresses without cron
* Support for multiple attachments
* Protection against header injection
* Set message priority
* Request Read Receipts
* Sendmail (or other binary) support
* Pluggable SMTP Authentication (LOGIN, PLAIN, MD5-CRAM, POP Before SMTP)
* Anti-Flooding support (reconnect every X emails) via plugin
* Secure Socket Layer connections (SSL)
* Loadable plugin support with event handling features

0015360: Click Tracking is not working for links in the body of the message, only for those in the footer.

Hi,

Click Tracking is not working for links in the body of the message, only for those in the footer i.e., for unsubsribe and Forward links.

Any help would be appreciated.

Thanks,
Ramya

0015345: "phplist powered by phplist" in the admin pages. No version in the user pages.

The user pages display nothing after the word "version". If it's on purpose, the word "version" should be removed and the version number should be removed from the admin log-in page.

The admin pages display "phplist powered by phplist".

0015325: SMTP code is partially broken (revisited)

cipixul reports that the code changes applied to "admin/class.phplistmailer.php" in order to fix issue 8590 can result in trouble:

===== Start Quote =====

The code is wrong because it uses PHPMAILERHOST only if the admin set phpmailer_user, which is not always the case, and as we run several smtpd servers on same machine, we don't authenticate to our smtpd instances because they're local.

===== End Quote =====
Source: http://forums.phplist.com/viewtopic.php?f=17&t=23830#p67628 [^]

0015291: SMTP send won't work without authentication

Logic in constructor of class PHPlistMailer is wrong in the case of using SMTP.

The offending code is:

if (defined('PHPMAILERHOST') && PHPMAILERHOST != '') && isset($GLOBALS['phpmailer_smtpuser']) && $GLOBALS['phpmailer_smtpuser'] != '') {
....
}

SMTP will only be set if phpmailer_smtpuser has been set in the configuration. This precludes the use of SMTP servers which do not require authentication.

The fix is simple and is left as an exercise for the maintainers.

0000740: PHPList Archive

Guys,

I've been using Mojo Mailing List since January and its been very good. I really like PHPList a lot but one thing it do not have is automatically archive on website.

Wonder if they ever will upgrade PHPList with it in near future?

Smile,
gwlj

0015358: Import does not strip doublequote text delimiters when using 'import emails with the same values for attributes'

By default Openoffice Calc uses the text delimter " when exporting CSV files. When importing to phplist it appears not to remove these which results in email addresses that look like: "name@domain.com" instead of just: name@domain.com. The actual import itself goes fine but then later these doublequotes result in the addresses being regarded as invalid by phplist.

Line 407 of importcsv.php includes the code:

$line = str_replace('"', '', $line);

For whatever reason - i am not a competent enough coder to work out what's happening here - the code above either doesn't get called or does not have the intended effect.

As OpenOffice is a popular choice both for regular users and for those looking to convert xls files and export them as csv, i contend that this should just work without having to manually alter the text delimiter.

I have twice seen this effect. First when importing a large number of email addresses and then secondly through exporting a CSV file consisting of just two email addresses in an attempt to replicate the behaviour.

This appears consistent arcoss both 2.10.9 and 2.10.10.

0015341: security - forgotpassword value not checked/eval'd

/lists/admin when entering value to send an email for 'forgot password', the value is not checked.

Fix included in additional info.

0015349: Need stripslashes when displaying and/or searcing for user attributes

Just like http://mantis.phplist.com/view.php?id=1152 [^] only for user attributes.

This is relevant for:
1) The usage of [attribute] in messages.
2) Searching by attribute in the list of users.
3) Displaying the search result of searching by attribute in the list of users
4) The user's preferences page
5) The admin's edit screen of individual users.

Things like such users are being unsearchable (by the relevant attribute) - even if you use slash in your search - is why I classified it as a major error.

0015188: PHP Error

On the bottom of lists/admin/ along with several other admin pages I get this error message:

Notice: ob_end_flush() [ref.outcontrol]: failed to delete and flush buffer. No buffer to delete or flush. in /nfs/c02/h03/mnt/27557/domains/puyallup-tribe.com/html/mail/lists/admin/index.php on line 409
phplist version 2.10.7

0015300: Resubscribing previous user (i.e. blacklisted)

There are two possibilities with this depending on whether users are required to use a password.

config.php define("ASKFORPASSWORD",0);

With the above setting in config it still only works if a fix that I found in the forum is applied to the admin/subscribelib2.php around line 365 under "if ($blacklisted) {" rem out "return 1". This then allows the new subscription to send out the request for confirmation email and once the url in that is clicked the user is removed from being blacklisted.

With the ASKFORPASSWORD set to 1, when someone tries to resubscribe the subscription page asks for a password to be created and then reconfirmed as with any user trying to subscribe with the password option switched on. However, instead of the system updating the password with the new one from this registration as it does with the rest of the user details being resubscribed, it reloads the subscribe page stating that the email already exists with a different password, breaking the resubscription process unless the user knows or requests their old password. It would be cleaner if whatever password they chose upon attempting to resubscribe was taken as their new data as it does with other attributes from the subscribe page.

0015350: "Send Message" screen is incomplete

I am using IE 8, and am experiencing the same problem that was reported in issue # 004030. I can see the full screen in your demo, but not in the version I have installed. It was installed using Fantastico and I haven't changed any default config settings.

0015351: Bug in MySql installation script of PHPList

After installing PHPList on server and going through the admin panel I noticed that I was receiving errors such as table does not exist. This was very strange so I decided to do some further investigation.

Findings:

On line number 1087 in the phplist.sql:

INSERT INTO `phplist_user_blacklist_data` VALUES ('billgates@microsoft.com','reason','I\\\'m not really that interested in your newsletter anymore. Sorry.');

This is not correct as the \\\ in the query escapes the rest of the sql and the remaining tables are not executed this results in a broken installation.

The correct sql is:
INSERT INTO `phplist_user_blacklist_data` VALUES ('billgates@microsoft.com','reason','I\'m not really that interested in your newsletter anymore. Sorry.');

After doing this fix and adding the tables below this line number everything worked perfectly.