phpList 3.5.7 released: security enforcements on the authentication process

ARCHIVE

phpList 3.5.7 is now available for installation. This release introduces security enforcements on the authentication process.

You can update your phpList installation using the Automatic Updater, or you can download it directly from SourceForge.

Fixes to look for:

  • Dashboard page title has been renamed from “Upgrade phpList” to “Update database” to avoid confusion. Thanks to @hktang for the Pull Request 4.
  • Session fixation: The application now generates a new session key upon authentication to avoid unauthenticated users to obtain key on a legitimate user.
  • Sanitise the browser trail cookie to prevent cross-site scripting.

Community-made

This release is the work of @hktang and other Open Source community members who have submitted bug reports and valuable feedback, as well as phpList Ltd. developers. To get involved in phpList development, check out the developer resources pages.

Report any issues you find with phpList 4 core or REST API  to the corresponding repo on GitHub. Please read the contribution guide on how to contribute to these modules.

Support

Need help upgrading your phpList server to the newest version? Ask the community at discuss.phplist.org. Professional support from community experts, as well as manuals, source code, and developer resources, can be found at phplist.org. Report all bugs to the bugtracker!

Want to focus on campaigns and forget hosting headaches? Sign up at phplist.com for an account with everything included. Send from 300 free messages to 30 million messages per month — simple.

Leave a Reply