[Typo3-dev] t3lib_formmail open for relaying

[Andreas Brunschweiler]

<Martin.T.Kutschker at blackbox.net> wrote:

> Andreas Brunschweiler wrote:
>> With surprise I discovered that the recipient email of the standard
>> Typo3 Mail Forms is submitted as a hidden field. Upon receiving the mail
>> form's content, no check of the receivers mailadress is performed.
>> Therefore, it is possible to send mails to any receiver.
>
> I didn't check if there are any mechanisms in place. But one possibility
> that springs to my mind is to protect all hidden-fields with a hash (MD5
> or SHA-1) perhaps salted with the secrect key

Securing the hidden fields is a good idea and simple to implement. However, 
I thend to not have the recipient field included at all in the form. 
Supplying the uid of the tt_content record enables the mail sending script 
to look up the recipients mail address.

This could be implemented as extension, but should actually be typo3's 
standard behaviour for security reasons.  uid of the tt_content record is 
already supplied in the form. The recipient field can be cleand by means of 
typoscript. Therefore, no changes need to be made to tslib_content. 
t3lib_formmail.php needs to be extended to retrieve the mail address.

Has anybody implemented this already. Not that I invent the wheel twice...

Regards,
Andreas