[Typo3-dev] t3lib_formmail open for relaying
Martin T. Kutschker
Martin.T.Kutschker at blackbox.net
Fri Mar 26 08:37:05 CET 2004
Andreas Brunschweiler wrote:
> With surprise I discovered that the recipient email of the standard
> Typo3 Mail Forms is submitted as a hidden field. Upon receiving the mail
> form's content, no check of the receivers mailadress is performed.
> Therefore, it is possible to send mails to any receiver.
I didn't check if there are any mechanisms in place. But one possibility
that springs to my mind is to protect all hidden-fields with a hash (MD5
or SHA-1) perhaps salted with the secrect key (some SYS global config
var which name I don't recall right now).
Remains to be detemined what the hidden fields are. A static set? Or
should another hidden fields contain the names of the protected fields?
Masi
PS: That remindes me that any new FE form handling should provide means
to protect the form contents against tampering. Maybe this is something
that would be a good thing in the BE as well.
More information about the TYPO3-dev
mailing list