phpList ships with a preconfigured .htaccess
file (distributed Apache configuration directives) which protects certain files in the admin/
subfolder from being processed individually (most of these files are intended to be referenced within index.php
, not directly).
Certain web hosting providers may not allow .htaccess
files to alter the web server behavior. To test whether your admin/.htaccess
file is effective, try to open the URL http://url-to-your-phplist-install.com/admin/subscribelib2.php
in your browser.
If your .htaccess
file is working as expected, you will receive a 403 Forbidden message, as this file is not intended to be accessed directly.
However, if your .htaccess
file is ineffective, you will see a single line, reading Invalid Request. If this is the case, then your .htaccess
file is being ignored by your web server and you should contact your hosting provider to address this. Your phpList installation is vulnerable.
3.135.249.220