Open bizmate opened 8 years ago
Interesting. Thanks. As a plugin, the authentication is supposedly done by phpList. I will check what's going on.
Can you remove the
Cookie: browsetrail=%3Fpage%3Dplugins%26tk%3D0177899; PHPSESSID=RAY%2ChQo8PYG%2CEUHdeH9Xi3
from the request and try again?
Well spotted. It looks like the application cookie was authenticating/allowing the call. Still a few inconsistent facts Using a separate client (i was using a chrome extension that was re-using browser cookies before) and thus having no cookie in the request i tried the following
1) No auth request - Same request for cmd=listsGet with no auth informatino Response is the HTML login page, with HTTP 200 though i would expect a HTTP 401 2) Auth with secret - Same request for cmd=listsGet secret=VALUEASSETINCONFIG Response is the HTML login page, with HTTP 200 though i would expect a HTTP200 with json response containing list 3) Auth with secret, login and password - Although the plugin does not require login and password i still tried using the admin authentication plus the secrect Response is the same as at attempt 2)
In the unit tests https://github.com/phpList/phplist-plugin-restapi/blob/master/tests/phpunit/restapi.php and also in the doc at page admin/?page=main&pi=restapi&tk=0177899
i noticed that to acquire access you need to do a POST request to manually log in before running a command?
This shows a few different problems.
that's great, thanks. We will look into this.
There is no security on the restapi, despite what the documentation and tests show. i.e. I am able to get the news lists using the listsGet with no login, secret or password.
I am surprised something like this is even possible and not spotted by anyone. See HTTP Trace below
If I enable the
restapi-test
i get a development login and password but nothing like this is available withrestapi