On WebReference.com today there's a new tutorial getting you up and running with phpList for your mailing list (and campaign) needs.

The popular email campaign manager phpList is open source, free to download and easy to use. The company Tincan is the commercial sponsor behind phpList, which comes in two forms: a hosted solution or a download that you can set up yourself on your server. If you don't want to go through the hassles of setting up and managing the system, you should go for the hosted solution. [...] Otherwise, you could just follow this article to set up phpList on your own and save yourself a few bucks.

The tutorial links you to the download you'll need to get this mailing list software and the instructions on how to get it all set up. They show you how to create lists and add users to them and how to send a simple message to a list. There's a few things they also show you how to "hack" on in the code like automatically confirming subscriptions, not sending the welcome email and removing the "powered by" image in the default emails.

Some of you might have heard about the hacking of the phpBB.com website earlier this week. Well, Stefan Esser has posted a bit more about the vulnerability in the PHPList software that lead to the problem.

A few days ago phpbb.com was hacked through a super-globals-overwrite vulnerability in PHPList that was used by an attacker for a local file inclusion exploit. Details about the whole attack, written down by someone who claims to be the attacker, can be read here.

Stefan talks about the superglobal problem PHPList had - allowing the superglobal information to overwrite the variables inside the script without so much as a check. Example code shows how it was possible for the attacker to provide their own configuration file value to be opened via a stream wrapper.

For those that might have missed it, the phpBB.com server was hacked via an unpatched version of another piece of PHP software running on the same machine. Stefan Koopmanschap has posted a bit about it and talks about what happened and what can be learned from it.

Yesterday the phpBB.com server got hacked. People who, like me, were there back in the days of phpBB2 will be reminded of the security flaws found in the software back then. However, this was not the cause of this hack. It was an unpatched version of another PHP package that caused the hack, which exposed amongst other things the full user database and several server passwords.

The problem was with an unpatched version of phpList, a mailing list manager, that allowed the hacker to get in and get out with a complete dump of the users table (including passwords and other private information).

I think the whole world can learn something from this: Your server is only as secure as your weakest link. So if you use any third party open source software, make sure that you always use the latest version, and that you subscribe to notification mailinglists of new releases. This will ensure that you get notified when new versions are released, so that you can patch your installation to the latest version and fix any vulnerabilities in the software.