Earlier this week, it was announced that phpList had a critical security vulnerability permitting an attacker to bypass authentication and login as an administrator using an incorrect & carefully-crafted password in some cases. This bug is a result of the fact that [a] PHP is a loosely typed language and [b] the phpList team was using the ‘==’ operator to test for equality of the user’s hashed password against the DB. This security pitfall has been known in PHP since at least 2010 (a decade ago!), but I’m sure the same mistake will be made again..
https://tech.michaelaltfield.net/2020/02/14/phplist-hardening-security/
Submitted February 14, 2020 at 01:00PM by maltfield https://www.reddit.com/r/webhosting/comments/f3xspi/psa_phplist_authentication_bypass_exploit_in_v350/?utm_source=ifttt
from Blogger http://webdesignersolutions1.blogspot.com/2020/02/psa-phplist-authentication-bypass.html
via IFTTT
Web Designer Solutions 