Hi All,
Lately i'm getting a security warning about raspberrypi.org, it seems that this site is doing also something with phplist.com?
Perhaps this is cross site scripting?
Can anyone in the know confirm that this is legit, or has this website become infected with malware?
(Please note that I've done some site checks against Symantec and Trend Micro databases and these list the site as safe so it shouldn't be the latter, but I'd rather be safe than sorry and ask anyways..)
Just so you know, for me it's LastPass that is giving these security warnings.
Re: Security warning on raspberrypi.org?
Thanks for the note, I'll try to explain what's happening here...
When LastPass fills in the forum login form it inserts the username into the `username` field as below:
At the bottom of the page, you'll see there's a newsletter sign up form - this uses a service called phpList (it's what's used for the Pi Weekly emails). This form contains an `email` input.
Since login forms often contain either a `username` or an `email` input (and the two can be used somewhat interchangeably), LastPass is automatically filling in this `email` field with your username at the same time as filling in the login form, the assumption being that this may be part of the login form.
When the login form is submitted, pre-filled by LastPass, LastPass detects that another form has information in it filled in by LastPass (the newsletter form) and it then presents you with the following warning:
Somewhat ironic since it was of course LastPass which filled in this form (unnecessarily) in the first place!
The phpList form never gets submitted upon log in, and it only ever contains your username (not your password), so it is seemingly safe to ignore. However it may be preferable to see if LastPass can be configured to not blindly fill in any matching inputs in the page that aren't part of the login form itself. Unfortunately we can't rename the phpList form's `email` field to anything else, because it's a required field!
Hope that helps clarify.
When LastPass fills in the forum login form it inserts the username into the `username` field as below:
- Screenshot 2019-10-09 at 10.27.53.png (141.98 KiB) Viewed 505 times
At the bottom of the page, you'll see there's a newsletter sign up form - this uses a service called phpList (it's what's used for the Pi Weekly emails). This form contains an `email` input.
- Screenshot 2019-10-09 at 10.14.25.png (230.13 KiB) Viewed 505 times
Since login forms often contain either a `username` or an `email` input (and the two can be used somewhat interchangeably), LastPass is automatically filling in this `email` field with your username at the same time as filling in the login form, the assumption being that this may be part of the login form.
When the login form is submitted, pre-filled by LastPass, LastPass detects that another form has information in it filled in by LastPass (the newsletter form) and it then presents you with the following warning:
- Screenshot 2019-10-09 at 10.13.58.png (86.02 KiB) Viewed 505 times
Somewhat ironic since it was of course LastPass which filled in this form (unnecessarily) in the first place!
The phpList form never gets submitted upon log in, and it only ever contains your username (not your password), so it is seemingly safe to ignore. However it may be preferable to see if LastPass can be configured to not blindly fill in any matching inputs in the page that aren't part of the login form itself. Unfortunately we can't rename the phpList form's `email` field to anything else, because it's a required field!
Hope that helps clarify.
-
DougieLawson
- Posts: 38883
- Joined: Sun Jun 16, 2013 11:19 pm
- Location: A small cave in deepest darkest Basingstoke, UK
- Contact: Website Twitter
Re: Security warning on raspberrypi.org?
You should probably take your false positive alert to the folks that support Lastpass.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.
Criticising any questions is banned on this forum.
Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.
Criticising any questions is banned on this forum.
Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.
Re: Security warning on raspberrypi.org?
I had the same, and had to add:
To Equivalent Domains
Though I'm going to be watching this, since I can seeing making phplist.com an equivalent possibly being a problem.
Code: Select all
phplist.com, raspberrypi.orgThough I'm going to be watching this, since I can seeing making phplist.com an equivalent possibly being a problem.
Headless PI. OMG, someone cut it's head off. Oh, hang on. it didn't have one to start with.