Additions:
//This document outlines a number of measures that will help enhance the security of your system. Some of these measures may not be available to all of you, as it depends on the way you have hosted your phpList installation. While it isn't necessary to implement each and every measure suggested in this document, applying as many as you can is recommended.//
Make sure the .htaccess files in the directories of phpList (particularly those in the "admin" and "commonlib" directories) are active. The .htaccess files included with phpList should ensure that "index.php" is the only file accessible in the admin directory. No other php file should be accessible. Images and stylesheets may still be accessible.
**Note:** Some server settings may not allow overriding some of the Apache directives placed in the .htaccess files, which means the files are not parsed. If in doubt, check this with your host. If your host does not allow uploading .htaccess files via FTP, you should contact them to find a secure alternative.
For more information on [[http://en.wikipedia.org/wiki/File_system_permissions file system permissions]], please consult the manual of your particular operating system, or contact your host.
You can use this measure in combination with the administrators login system of your phpList installation, in which case your phpList administators wiil have to gain access to protected admin directory first, and then login as a phpList admin.
Set "register globals" to be "off" in your php.ini file. If your server is in a shared hosting environment, and if you do not have access to php.ini, you could also use this directive in your .htaccess file: ''php_flag register_globals off''
==Change the phpList admin password==
==Make sure each database application is owned by a separate database user==
Make sure the .htaccess files in the directories of phpList (particularly those in the "admin" and "commonlib" directories) are active. The .htaccess files included with phpList should ensure that "index.php" is the only file accessible in the admin directory. No other php file should be accessible. Images and stylesheets may still be accessible.
**Note:** Some server settings may not allow overriding some of the Apache directives placed in the .htaccess files, which means the files are not parsed. If in doubt, check this with your host. If your host does not allow uploading .htaccess files via FTP, you should contact them to find a secure alternative.
For more information on [[http://en.wikipedia.org/wiki/File_system_permissions file system permissions]], please consult the manual of your particular operating system, or contact your host.
You can use this measure in combination with the administrators login system of your phpList installation, in which case your phpList administators wiil have to gain access to protected admin directory first, and then login as a phpList admin.
Set "register globals" to be "off" in your php.ini file. If your server is in a shared hosting environment, and if you do not have access to php.ini, you could also use this directive in your .htaccess file: ''php_flag register_globals off''
==Change the phpList admin password==
==Make sure each database application is owned by a separate database user==
Deletions:
Make sure the .htaccess files in the different directories of phpList (particularly those in the "admin" and "commonlib" directories) are active. The .htaccess files included with phpList should ensure that "index.php" is the only file accessible in the admin directory. No other php file should be accessible. Images and stylesheets may still be accessible.
**Note:** Some server settings do not allow overriding some of the Apache directives we have put in the .htaccess files, which means the files are not parsed. If in doubt, check this with your host. If your host does not allow uploading .htaccess files via FTP, you should contact your them to find a secure alternative.
For more information on [[http://en.wikipedia.org/wiki/File_system_permissions file system permissions]], please consult the manual of your particular operating system, or consult your host.
You can use this measure in combination with the administrators login system of your phpList installation, in which case your admins have to gain access to protected admin directory first, and then login as a phpList admin.
Set "register globals" to be "off" in your php.ini file. If you are in a shared hosting environment, and if you do not have access to php.ini, you could also use this directive in your .htaccess file: ''php_flag register_globals off''
==Change phpList admin password==
==Each database application should use a separate database user==
Additions:
==Backup your database==
Make regular [[BackupDatabase backups of your database]] and keep them in a safe place.
Make regular [[BackupDatabase backups of your database]] and keep them in a safe place.
Additions:
//This document outlines a number of measures that can be taken to enhance the security of your system. Some of these measures may not be available to all of you, as it depends on the way you have hosted your phpList installation. While it isn't necessary to implement each and every measure suggested in this document, applying s many as you possibly can is recommended.//
==Keep your installation up to date==
==Limit executable access (htaccess)==
Make sure the .htaccess files in the different directories of phpList (particularly those in the "admin" and "commonlib" directories) are active. The .htaccess files included with phpList should ensure that "index.php" is the only file accessible in the admin directory. No other php file should be accessible. Images and stylesheets may still be accessible.
**Note:** Some server settings do not allow overriding some of the Apache directives we have put in the .htaccess files, which means the files are not parsed. If in doubt, check this with your host. If your host does not allow uploading .htaccess files via FTP, you should contact your them to find a secure alternative.
For more info see:
==Set proper file and directory permissions ==
Check that your directories and files have proper read/write permissions. Permissions should be as low as possible. This may vary somewhat, depending on the way you server is hosted. However, check that permissions are NOT higher than this ''(needs to be verified)'':
{{table columns="3" cells=";permissions (octal);(symbolic);Directories;755;d rwx r-x r-x;Files;644;- rw- r-- r--;"}}
For more information on [[http://en.wikipedia.org/wiki/File_system_permissions file system permissions]], please consult the manual of your particular operating system, or consult your host.
==Run you site as an Apache user with limited permissions==
Run the website as an Apache user with very limited permissions on your server, particularly no write permissions in any of the documents of your website. See also [[http://httpd.apache.org/docs/1.3/misc/security_tips.html Apache security tips]].
==Password protect the admin directory (htaccess)==
Password protect your admin directory. Apache users can use the .htaccess file in the admin directory for that purpose. For more information, see the [[http://httpd.apache.org/docs/1.3/howto/auth.html Apache documentation]]
You can use this measure in combination with the administrators login system of your phpList installation, in which case your admins have to gain access to protected admin directory first, and then login as a phpList admin.
==Set "register globals" to "off" (php.ini/htaccess)==
Set "register globals" to be "off" in your php.ini file. If you are in a shared hosting environment, and if you do not have access to php.ini, you could also use this directive in your .htaccess file: ''php_flag register_globals off''
For more information, please consult the [[http://www.php.net/register_globals PHP documentation]] on this topic.
==Change phpList admin password==
Change the admin password inmediately after having installed phpList.
==Run phpList behind a firewall==
Run your phpList installation on a server that has a firewall installed that only allows the necessary services to be served.
==Each database application should use a separate database user==
If you run several PHP/""MySQL"" applications on the same server, it is recommended to use separate databases, each owned by a different username/password combination. This serves as a containment measure: if an intruder manages to gain access to one of your application's databases, the others will still remain uncompromised. See also [[http://www.securityfocus.com/infocus/1667 Secure MySQL Database Design]].
==Keep your installation up to date==
==Limit executable access (htaccess)==
Make sure the .htaccess files in the different directories of phpList (particularly those in the "admin" and "commonlib" directories) are active. The .htaccess files included with phpList should ensure that "index.php" is the only file accessible in the admin directory. No other php file should be accessible. Images and stylesheets may still be accessible.
**Note:** Some server settings do not allow overriding some of the Apache directives we have put in the .htaccess files, which means the files are not parsed. If in doubt, check this with your host. If your host does not allow uploading .htaccess files via FTP, you should contact your them to find a secure alternative.
For more info see:
==Set proper file and directory permissions ==
Check that your directories and files have proper read/write permissions. Permissions should be as low as possible. This may vary somewhat, depending on the way you server is hosted. However, check that permissions are NOT higher than this ''(needs to be verified)'':
{{table columns="3" cells=";permissions (octal);(symbolic);Directories;755;d rwx r-x r-x;Files;644;- rw- r-- r--;"}}
For more information on [[http://en.wikipedia.org/wiki/File_system_permissions file system permissions]], please consult the manual of your particular operating system, or consult your host.
==Run you site as an Apache user with limited permissions==
Run the website as an Apache user with very limited permissions on your server, particularly no write permissions in any of the documents of your website. See also [[http://httpd.apache.org/docs/1.3/misc/security_tips.html Apache security tips]].
==Password protect the admin directory (htaccess)==
Password protect your admin directory. Apache users can use the .htaccess file in the admin directory for that purpose. For more information, see the [[http://httpd.apache.org/docs/1.3/howto/auth.html Apache documentation]]
You can use this measure in combination with the administrators login system of your phpList installation, in which case your admins have to gain access to protected admin directory first, and then login as a phpList admin.
==Set "register globals" to "off" (php.ini/htaccess)==
Set "register globals" to be "off" in your php.ini file. If you are in a shared hosting environment, and if you do not have access to php.ini, you could also use this directive in your .htaccess file: ''php_flag register_globals off''
For more information, please consult the [[http://www.php.net/register_globals PHP documentation]] on this topic.
==Change phpList admin password==
Change the admin password inmediately after having installed phpList.
==Run phpList behind a firewall==
Run your phpList installation on a server that has a firewall installed that only allows the necessary services to be served.
==Each database application should use a separate database user==
If you run several PHP/""MySQL"" applications on the same server, it is recommended to use separate databases, each owned by a different username/password combination. This serves as a containment measure: if an intruder manages to gain access to one of your application's databases, the others will still remain uncompromised. See also [[http://www.securityfocus.com/infocus/1667 Secure MySQL Database Design]].
Deletions:
===Keep your installation up to date===
===Limit executable access (htaccess)===
Make sure the .htaccess files in the different directories of PHPlist (particularly those in the "admin" and "commonlib" directories) are active. The .htaccess files distributed with phplist should ensure that "index.php" is the only file accessible in the admin directory. No other php file should be accessible. Images and stylesheets may still be accessible.
**Note:** Some server settings do not allow overriding some of the Apache directives we have put in the .htaccess files, which means the files are not parsed. If in doubt, check this with your host.
Unfortunately some ISPs do not allow uploading .htaccess files via FTP, in which case you should contact your ISP to find a secure alternative.
For more info see,
===Set proper file and directory permissions ===
Check that your directories and files have proper read/write permissions. Permissions should be as low as possible. This may vary somewhat, depending on the way you server is hosted. More details needed....
Check that permissions are NOT higher than this (needs to be verified):
Directories: 755
Files: 644
These are recommended permissions (needs to be verified, may not be possible with every host):
Directories: 705 (rwx ""---"" r-x) or 505 (r-x ""---"" r-x)
.php files and data files that are read or written by php code: 400 (r-- ""---"" ""---"") or 600 (rw- ""---"" ""---"").
Set *.html, *.jpg, *.gif, *.png, *.html and any others that are referenced via URL to 604 (rw- ""---"" r--) or 404 (r-- ""---"" r--).
Set all other files to 400 (r-- ""---"" ""---"") or 600 (rw- ""---"" ""---"").
===Run you site as an Apache user with limited permissions===
Run the website as an Apache user who has no other permissions on your server, particularly no write permissions in any of the documents of your website.
===Password protect the admin directory (htaccess)===
Password protect your admin directory. Apache users can use the .htaccess file in the admin directory for that purpose. For more information, see http://httpd.apache.org/docs/1.3/howto/auth.html
You can use this measure in combination with the administrators login system of your PHPlist installation, in which case your admins have to first access the system with a general password and then login as a PHPlist admin.
===Set "register globals" to "off" (php.ini/htaccess)===
Set "register globals" to be "off" in your php.ini file. If you are on a shared hosting environment, and if you do not have access to php.ini, you could also use this directive in your .htaccess file: php_flag register_globals off
For more information, see http://www.php.net/register_globals
===Change phplist admin password===
Change the admin password as soon as you have installed PHPlist.
===Run phplist behind a firewall===
Run your PHPlist installation on a server that has a firewall installed that only allows the necessary services to be served.
===Each database application should use separate database user===
If you run several PHP/MySQL applications on the same server, it is recommended to use separate databases, each owned by a different username/password combination. This serves as a containment measure: if an intruder manages to gain access to one of your application's databases, the others will still remain uncompromised. See also [[http://www.securityfocus.com/infocus/1667 Secure MySQL Database Design]].
Additions:
//This document outlines a number of measures that can be taken to enhance the security of your system. Some of these measures may not be available to all of you, as it depends on the way you have hosted your PHPlist installation. While it isn't necessary to implement each and every measure suggested in this document, applying as many as you possibly can is recommended.//
===Keep your installation up to date===
Subscribe to the [[http://www.phplist.com/lists/?p=subscribe&id=5 phpList announcements mailinglist]] to be kept informed of security fixes and upgrades, and install these as soon as they are available.
===Limit executable access (htaccess)===
Make sure the .htaccess files in the different directories of PHPlist (particularly those in the "admin" and "commonlib" directories) are active. The .htaccess files distributed with phplist should ensure that "index.php" is the only file accessible in the admin directory. No other php file should be accessible. Images and stylesheets may still be accessible.
**Note:** Some server settings do not allow overriding some of the Apache directives we have put in the .htaccess files, which means the files are not parsed. If in doubt, check this with your host.
For more info see,
~&[[http://en.wikipedia.org/wiki/Htaccess Wikipedia - .htaccess]]
~&[[http://httpd.apache.org/docs/trunk/howto/htaccess.html Apache Tutorial: .htaccess files]]
===Set proper file and directory permissions ===
Check that your directories and files have proper read/write permissions. Permissions should be as low as possible. This may vary somewhat, depending on the way you server is hosted. More details needed....
Check that permissions are NOT higher than this (needs to be verified):
Directories: 755
Files: 644
These are recommended permissions (needs to be verified, may not be possible with every host):
Directories: 705 (rwx ""---"" r-x) or 505 (r-x ""---"" r-x)
.php files and data files that are read or written by php code: 400 (r-- ""---"" ""---"") or 600 (rw- ""---"" ""---"").
Set *.html, *.jpg, *.gif, *.png, *.html and any others that are referenced via URL to 604 (rw- ""---"" r--) or 404 (r-- ""---"" r--).
Set all other files to 400 (r-- ""---"" ""---"") or 600 (rw- ""---"" ""---"").
===Run you site as an Apache user with limited permissions===
Run the website as an Apache user who has no other permissions on your server, particularly no write permissions in any of the documents of your website.
===Password protect the admin directory (htaccess)===
Password protect your admin directory. Apache users can use the .htaccess file in the admin directory for that purpose. For more information, see http://httpd.apache.org/docs/1.3/howto/auth.html
You can use this measure in combination with the administrators login system of your PHPlist installation, in which case your admins have to first access the system with a general password and then login as a PHPlist admin.
===Set "register globals" to "off" (php.ini/htaccess)===
Set "register globals" to be "off" in your php.ini file. If you are on a shared hosting environment, and if you do not have access to php.ini, you could also use this directive in your .htaccess file: php_flag register_globals off
For more information, see http://www.php.net/register_globals
===Change phplist admin password===
Change the admin password as soon as you have installed PHPlist.
===Run phplist behind a firewall===
Run your PHPlist installation on a server that has a firewall installed that only allows the necessary services to be served.
===Each database application should use separate database user===
If you run several PHP/MySQL applications on the same server, it is recommended to use separate databases, each owned by a different username/password combination. This serves as a containment measure: if an intruder manages to gain access to one of your application's databases, the others will still remain uncompromised. See also [[http://www.securityfocus.com/infocus/1667 Secure MySQL Database Design]].
===Keep your installation up to date===
Subscribe to the [[http://www.phplist.com/lists/?p=subscribe&id=5 phpList announcements mailinglist]] to be kept informed of security fixes and upgrades, and install these as soon as they are available.
===Limit executable access (htaccess)===
Make sure the .htaccess files in the different directories of PHPlist (particularly those in the "admin" and "commonlib" directories) are active. The .htaccess files distributed with phplist should ensure that "index.php" is the only file accessible in the admin directory. No other php file should be accessible. Images and stylesheets may still be accessible.
**Note:** Some server settings do not allow overriding some of the Apache directives we have put in the .htaccess files, which means the files are not parsed. If in doubt, check this with your host.
For more info see,
~&[[http://en.wikipedia.org/wiki/Htaccess Wikipedia - .htaccess]]
~&[[http://httpd.apache.org/docs/trunk/howto/htaccess.html Apache Tutorial: .htaccess files]]
===Set proper file and directory permissions ===
Check that your directories and files have proper read/write permissions. Permissions should be as low as possible. This may vary somewhat, depending on the way you server is hosted. More details needed....
Check that permissions are NOT higher than this (needs to be verified):
Directories: 755
Files: 644
These are recommended permissions (needs to be verified, may not be possible with every host):
Directories: 705 (rwx ""---"" r-x) or 505 (r-x ""---"" r-x)
.php files and data files that are read or written by php code: 400 (r-- ""---"" ""---"") or 600 (rw- ""---"" ""---"").
Set *.html, *.jpg, *.gif, *.png, *.html and any others that are referenced via URL to 604 (rw- ""---"" r--) or 404 (r-- ""---"" r--).
Set all other files to 400 (r-- ""---"" ""---"") or 600 (rw- ""---"" ""---"").
===Run you site as an Apache user with limited permissions===
Run the website as an Apache user who has no other permissions on your server, particularly no write permissions in any of the documents of your website.
===Password protect the admin directory (htaccess)===
Password protect your admin directory. Apache users can use the .htaccess file in the admin directory for that purpose. For more information, see http://httpd.apache.org/docs/1.3/howto/auth.html
You can use this measure in combination with the administrators login system of your PHPlist installation, in which case your admins have to first access the system with a general password and then login as a PHPlist admin.
===Set "register globals" to "off" (php.ini/htaccess)===
Set "register globals" to be "off" in your php.ini file. If you are on a shared hosting environment, and if you do not have access to php.ini, you could also use this directive in your .htaccess file: php_flag register_globals off
For more information, see http://www.php.net/register_globals
===Change phplist admin password===
Change the admin password as soon as you have installed PHPlist.
===Run phplist behind a firewall===
Run your PHPlist installation on a server that has a firewall installed that only allows the necessary services to be served.
===Each database application should use separate database user===
If you run several PHP/MySQL applications on the same server, it is recommended to use separate databases, each owned by a different username/password combination. This serves as a containment measure: if an intruder manages to gain access to one of your application's databases, the others will still remain uncompromised. See also [[http://www.securityfocus.com/infocus/1667 Secure MySQL Database Design]].
Deletions:
This document tries to outline measures that can be taken to make sure that your system is not compromised.
Some of these measures may not be available to all of you, as it depends on the way you have hosted your PHPlist installation. It will not be necessary to use all of them, but using as many as you possibly can, will improve the security of your system.
1. Subscribe to the announcements mailinglist. You do this by sending an email to phplist-announce-subscribe@tincan.co.uk. This is very important, because any new vulnerability that is found will (hopefully) be reported to the developers, in which case we will release a fix as soon as we can.
2. Make sure the .htaccess files in the different directories of PHPlist (particularly those in the "admin" and "commonlib" directories, as well as other directories, are active. Some server settings do not allow overriding some of the Apache directives we have put in there, which means the files are not parsed.
The .htaccess files should ensure that "index.php" is the only file accessible in the admin directory. No other php file should be accessible. Images and Stylesheets may still be accessible.
3. Add a password to your admin directory. You can use the sample "htaccess" file and copy the contents into the .htaccess file that is in the admin directory.
If you still want to use the "admin" system of your PHPlist installation, this would mean your admins have to first enter into the system with a general password and then as a PHPlist admin.
4. Set "register globals" to be "off" in your php.ini file.
5. Run the website as an Apache user who has no other permissions on your server, particularly no write permissions in any of the documents of your website.
6. Change the admin password as soon as you have installed PHPlist.
7. Run your PHPlist installation on a server that has a firewall installed that only allows the necessary services to be served.
Revision [1521]
Edited on 2008-03-28 05:06:04 by AlStillero [First draft, based on the README.security file]Additions:
=====Securing phpList =====
As any open source application, PHPlist can be thoroughly investigated by anyone who may want to use it as a method to gain entry into a system they should not be able to get access to. Even though utmost care has been taken by the developers of PHPlist to avoid this, there is no warranty that this may not happen.
This document tries to outline measures that can be taken to make sure that your system is not compromised.
Some of these measures may not be available to all of you, as it depends on the way you have hosted your PHPlist installation. It will not be necessary to use all of them, but using as many as you possibly can, will improve the security of your system.
1. Subscribe to the announcements mailinglist. You do this by sending an email to phplist-announce-subscribe@tincan.co.uk. This is very important, because any new vulnerability that is found will (hopefully) be reported to the developers, in which case we will release a fix as soon as we can.
2. Make sure the .htaccess files in the different directories of PHPlist (particularly those in the "admin" and "commonlib" directories, as well as other directories, are active. Some server settings do not allow overriding some of the Apache directives we have put in there, which means the files are not parsed.
The .htaccess files should ensure that "index.php" is the only file accessible in the admin directory. No other php file should be accessible. Images and Stylesheets may still be accessible.
Unfortunately some ISPs do not allow uploading .htaccess files via FTP, in which case you should contact your ISP to find a secure alternative.
3. Add a password to your admin directory. You can use the sample "htaccess" file and copy the contents into the .htaccess file that is in the admin directory.
If you still want to use the "admin" system of your PHPlist installation, this would mean your admins have to first enter into the system with a general password and then as a PHPlist admin.
4. Set "register globals" to be "off" in your php.ini file.
5. Run the website as an Apache user who has no other permissions on your server, particularly no write permissions in any of the documents of your website.
6. Change the admin password as soon as you have installed PHPlist.
7. Run your PHPlist installation on a server that has a firewall installed that only allows the necessary services to be served.
As any open source application, PHPlist can be thoroughly investigated by anyone who may want to use it as a method to gain entry into a system they should not be able to get access to. Even though utmost care has been taken by the developers of PHPlist to avoid this, there is no warranty that this may not happen.
This document tries to outline measures that can be taken to make sure that your system is not compromised.
Some of these measures may not be available to all of you, as it depends on the way you have hosted your PHPlist installation. It will not be necessary to use all of them, but using as many as you possibly can, will improve the security of your system.
1. Subscribe to the announcements mailinglist. You do this by sending an email to phplist-announce-subscribe@tincan.co.uk. This is very important, because any new vulnerability that is found will (hopefully) be reported to the developers, in which case we will release a fix as soon as we can.
2. Make sure the .htaccess files in the different directories of PHPlist (particularly those in the "admin" and "commonlib" directories, as well as other directories, are active. Some server settings do not allow overriding some of the Apache directives we have put in there, which means the files are not parsed.
The .htaccess files should ensure that "index.php" is the only file accessible in the admin directory. No other php file should be accessible. Images and Stylesheets may still be accessible.
Unfortunately some ISPs do not allow uploading .htaccess files via FTP, in which case you should contact your ISP to find a secure alternative.
3. Add a password to your admin directory. You can use the sample "htaccess" file and copy the contents into the .htaccess file that is in the admin directory.
If you still want to use the "admin" system of your PHPlist installation, this would mean your admins have to first enter into the system with a general password and then as a PHPlist admin.
4. Set "register globals" to be "off" in your php.ini file.
5. Run the website as an Apache user who has no other permissions on your server, particularly no write permissions in any of the documents of your website.
6. Change the admin password as soon as you have installed PHPlist.
7. Run your PHPlist installation on a server that has a firewall installed that only allows the necessary services to be served.
Deletions:
//This page is a **template** intended for documentation of **official phplist features**. This page belongs to CategoryTemplate (which contains more handy templates). To create a phplist **documentation** page, [[http://docs.phplist.com/DocumentationTemplate/clone clone this page]], replace the title with a meaningful one and replace this paragraph with the actual page content.//
