[solved] Rename subscription URL to enhance security

Solutions for other advanced phplisters

[solved] Rename subscription URL to enhance security

Postby websitebob » 3:20pm, Mon 17 Sep, 2007

Hi guys

First time posting. Hopefully long time member.

Everything went smooth on my install. (I did get a blank page at one point when I was customizing the subscription page and changing text in the language file... the solution was to delete all files on the server and reinstall.)

Here's the question:

As a matter of security, I'd like to rename the URLs of my PHPlist forms (i.e. subscribe, preferences, etc.). Its my thought that everyone using PHPlist has some commonality in their URL (i.e. ?p=subscribe ). A malicious user can locate these forms with an easy search and attempt SQL injections, etc. Even if there is no present vulernability, it invites unwanted guests and possible corrupted files when users are hammering away through your forms.

I tried using the configure panel in Admin to rename this area of the URL without success. Any suggestions?

Thanks in advance.
websitebob
websitebob
phpList newbie
 
Posts: 4
Joined: 3:05pm, Mon 17 Sep, 2007

Postby websitebob » 5:53pm, Tue 18 Sep, 2007

I had to reinstall PHPlist once again after making a couple simple text changes in the English language file. It crashed the app; bringing up a blank screen once again. An app shouldn't crash when you change out a default language message.

This is another reason to be concerned about security ...because if the app is too fragile to handle changing out a message within the language file, hows it going to handle a failed exploit attempt... or even an Admin's attempt to safeguard the app by renaming the URL?

I'd encourage anyone here to Google"?p=subscribe" if you don't know what I'm talking about.

Side note: Someone should delete the spam posts offering ***SPAM*** and ***SPAM*** drugs on this board. Thanks.
websitebob
phpList newbie
 
Posts: 4
Joined: 3:05pm, Mon 17 Sep, 2007

Postby Dragonrider » 6:32pm, Tue 18 Sep, 2007

websitebob wrote:I had to reinstall PHPlist once again after making a couple simple text changes in the English language file. It crashed the app; bringing up a blank screen once again. An app shouldn't crash when you change out a default language message.

This is another reason to be concerned about security ...because if the app is too fragile to handle changing out a message within the language file, hows it going to handle a failed exploit attempt... or even an Admin's attempt to safeguard the app by renaming the URL?

You may simply have missed a semicolon off a line, or added a quote/aphrosthphe in by accident. That can be a cause of php failing.

Side note: Someone should delete the spam posts offering ***SPAM*** and ***SPAM*** drugs on this board. Thanks.


Working on it, there's loads daily! Probably more than you get to see honest!
My sites:- http://wharfedalefestival.co.uk, http://ilkleygardeners.org.uk, http://emergencyaid.net, http://dragonrider.co.uk
Latest phpList version is now 3.0.12 (3 February 2015) and requires a minimum of MySQL 5.0 and PHP 5.3.x
Dragonrider
Moderator
 
Posts: 3460
Joined: 6:58am, Sun 02 Jul, 2006
Location: Ilkley, West Yorkshire, United Kingdom

Postby websitebob » 7:57pm, Tue 18 Sep, 2007

Thanks for the reply.

I am familiar with modifying language files. I merely changed out some words inside text located inside the quotes and the app crashed twice. No punctuations were added or removed.

For the record (in the event someone else researches renaming URLs in the future):

In my attempt to rename URLs, I tried a fresh install where I predefined slight modifications to the default pages under admin > defaultconfig and in config. These changes were made before uploading files for installation. The modifications were simply the addition of an alpha character immediately after p=. I wanted this to reduce the likelihood that my pages would come up in a Google hack searching for common PHPlist form pages to exploit. This didn't work. The subscription page (etc.) would not open and resulted in a 500 (misconfiguration) error. So, I'm inclined to think there is more code somewhere else.

Before that, I simply tried renaming the default URLs (subscribeurl, etc.) in the SQL database and again in admin > defaultconfig. I expected this to change the base URL. An easy fix, I thought. Again, my attempt failed. What I got was the original default pages (i.e. p=subscribe) instead of the base URL that I designated, (i.e. p=zsubscribe).

If someone knows the answer to renaming URLs without rewriting a lot of code... your assistance would be greatly appreciated. Thanks.

websitebob
websitebob
phpList newbie
 
Posts: 4
Joined: 3:05pm, Mon 17 Sep, 2007

This worked for me.

Postby Guest » 4:08am, Tue 05 Aug, 2008

I know this is a old thread but hope someone find this useful.

I did my first, fresh install of phpList v 2.10.5 and also wanted to change the "p=subscribe", "p=unsubscribe" part of the URLs (mostly because of language, not security... but after reading what websitebob wrote I felt encouraged :wink: ).

Anyway, modifying the URLs using the configuration panel does *not* work by itself, but you do need to change those URLs so they are liked correctly on the public pages and messages. Modifying directly on the DB is the same as modifying on the configuration panel.

So, what works?

Blame "lists/index.php"

It happens to be that index.php script handles all the "p=" parameters... and it has the values *hard coded*, so you need to edit that file.

Search for "subscribe", "preferences", etc. and replace with your personal values:

"subscribe" - lines: 134, 201
"preferences" - lines: 140, 207
"forward" - lines: 219
"confirm" - lines: 222
"unsubscribe" - lines: 141, 225

And that's it.
Guest
 

Subscribe Pages

Postby dhost » 4:03pm, Wed 24 Sep, 2008

Thanks for the info, this works great.
dhost
phpList newbie
 
Posts: 3
Joined: 5:33pm, Fri 20 Jan, 2006


Return to Advanced Answers, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 3 guests