Poor disclosure on phplist puts users as risk

Questions & Problems about Installing or Upgrading with Version 3 phpList.
Forum rules
Please help the volunteers to help you by supplying the version of phpList you are using, browser & version and if possible, a link to your phpList installation.

Poor disclosure on phplist puts users as risk

Postby BrettD » 8:18pm, Sat 26 Apr, 2014

I don't think phplist is doing a good job at all of notifying users of required security upgrades, based on what I've seen with 3.0.6. It is putting phplist users at risk of legal liability.

I discovered the 3.0.6 upgrade this week on the website only because I was trying to solve another bug. It states in part

" We fixed... a security issue that was discovered by David Sopas. We appreciate the careful handling by David of this issue, which benefits phpList and the entire community. We strongly advise everyone to upgrade to the latest version."

And how easy was it for phplist users to discover this essential new version? I did NOT receive an email notification of this new release. The last notice I received was 19 Aug 2013, "Subject: [phpList] version 3.0.2".

So phplist has disclosed the vulnerability on its front page but has done a poor job of notifying users that they should upgrade - simply creating opportunity for the bad guys?

The forum announcement about 3.0.6 is useless toward this end too. It had a wrong, older date associated with it and says nothing about "strongly [advising] everyone" to upgrade.

"Some of the issues fixed can be found on the mantis changelog page"

"Some" of the issues? Say what? Is the phplist team more intent on saving face here than being transparent with the disclosure, so that users can understand their past and potential future risk from this software defect? We have to run diffs on the code to discover what's up ourselves? This is NOT GOOD folks.

All of this is not up to modern standards of notification and disclosure and is disappointing. Software defects occur. We all know about heartbleed... and a million others. We get that. While they must be minimized by software development processes, how security-related defects and notifications are handled is as important.

phplist is a project that works with large databases of people's private information, with public-facing components. It is not a workstation tool like an editor. The phplist developers and project have a higher responsibility to deal with software defects that could lead to disclosure of personal information. Organizations operating mailing lists like I do often have LEGAL REQUIREMENTS to not disclose information like email addresses and names. (PIPEDA in my case, Canada).

I would suggest that phplist needs to handle user notifications of security patches much more reliably and effectively than it is not doing now. Here are a few suggestions that I believe are relatively easy to implement:

1. Immediately notify all registered users of the availability of 3.0.6 and the need for an upgrade
2. Establish a security-announcements-only list and invite subscribers (in 1) to subscribe
3. Start using the list in (2) reliably
4. Create a simple notification on the backend that will alert admins to the availability of a new (security) release, as F/LOSS projects do e.g. Joomla, Piwik

I'm looking forward to the projects response to these suggestions.

Brett Delmage
BrettD
phpList newbie
 
Posts: 3
Joined: 6:50pm, Sat 26 Apr, 2014

Re: Poor disclosure on phplist puts users as risk

Postby michiel » 1:57pm, Sun 27 Apr, 2014

Thanks for the suggestions, that's very helpful. We'll have a good look at our processes and will make some changes. A security-only list is probably a good idea.

May I point out that your point 4 has been part of phpList for over 7 years. Unless you have disabled it, which is your own choice. If you login to your phpList installation, it will alert you of the availability of a new release.
michiel
Admin
 
Posts: 1022
Joined: 10:18pm, Fri 11 Apr, 2003
Location: Buenos Aires, Argentina

Re: Poor disclosure on phplist puts users as risk

Postby JKE » 1:15pm, Mon 28 Apr, 2014

Michiel,

I only learned of the upgrade by seeing it mentioned on these forums.

After reading your post, I logged into my phplist installation. I had previously logged within the past few days. The login took me to the last place I had been (manage subscribers), which did NOT inform me of the new version. When I went to the Dashboard I did get a notification of the new version. The notification included two links at its bottom; one to view what had changed, and one to download the new version.

The URL for the view the changes was https://www.phplist.com/latestchanges?u ... gn=phpList which took me to a page describing the new 3.0 (not 3.0.6) dated 14 August 2013!

So, you may have a mechanism in place, but it is badly flawed.

JK
JKE
phpLister
 
Posts: 10
Joined: 3:03am, Tue 01 Apr, 2014

Re: Poor disclosure on phplist puts users as risk

Postby michiel » 2:02pm, Mon 28 Apr, 2014

ah, blast, yes, that is obviously not correct. I will get onto that immediately. It would really help if you can write that up in a mantis report and I will assign it to the next version.

Thanks
michiel
Admin
 
Posts: 1022
Joined: 10:18pm, Fri 11 Apr, 2003
Location: Buenos Aires, Argentina

Re: Poor disclosure on phplist puts users as risk

Postby JKE » 1:26am, Tue 29 Apr, 2014

I don't have a clue as to how to do a mantis report. I assume you would want the fact that the notice only shows up on the dashboard to be the subject of the report, not the fact that the link goes to a home page with old information on it. Right?
JK
JKE
phpLister
 
Posts: 10
Joined: 3:03am, Tue 01 Apr, 2014


Return to Installing and Upgrading

Who is online

Users browsing this forum: No registered users and 0 guests

cron