[Typo3-dev] t3lib_formmail open for relaying
Andreas Brunschweiler
andreas-t3 at brx.ch
Thu Mar 25 21:44:34 CET 2004
With surprise I discovered that the recipient email of the standard Typo3
Mail Forms is submitted as a hidden field. Upon receiving the mail form's
content, no check of the receivers mailadress is performed. Therefore, it
is possible to send mails to any receiver.
> POST /impressum/index.html HTTP/1.1
> [...]
> Content-Type: multipart/form-data;
> boundary=---------------------------114782935826962
> Content-Length: 944
>
> -----------------------------114782935826962
> Content-Disposition: form-data; name="html_enabled"
>
> 1
> -----------------------------114782935826962
> Content-Disposition: form-data; name="subject"
>
> Rückmeldung
> -----------------------------114782935826962
> Content-Disposition: form-data; name="recipient"
>
> andreas-t3 at brx.ch
> -----------------------------114782935826962
> [...]
Shouldn't formmail be disabled by default, that the users are at least
aware of the risks?
Andreas
More information about the TYPO3-dev
mailing list