[Typo3-dev] t3lib_formmail open for relaying
Martin T. Kutschker
Martin.T.Kutschker at blackbox.net
Fri Mar 26 11:27:52 CET 2004
Andreas Brunschweiler wrote:
> <Martin.T.Kutschker at blackbox.net> wrote:
>
>> Andreas Brunschweiler wrote:
>>
>>> With surprise I discovered that the recipient email of the standard
>>> Typo3 Mail Forms is submitted as a hidden field. Upon receiving the mail
>>> form's content, no check of the receivers mailadress is performed.
>>> Therefore, it is possible to send mails to any receiver.
>>
>> I didn't check if there are any mechanisms in place. But one possibility
>> that springs to my mind is to protect all hidden-fields with a hash (MD5
>> or SHA-1) perhaps salted with the secrect key
>
> Securing the hidden fields is a good idea and simple to implement.
> However, I thend to not have the recipient field included at all in the
> form. Supplying the uid of the tt_content record enables the mail
> sending script to look up the recipients mail address.
Probably, but..
> This could be implemented as extension, but should actually be typo3's
> standard behaviour for security reasons. uid of the tt_content record
> is already supplied in the form.
..but the formmail mechanism can be invoked in arbitrary ways. You just
don't know how the tt_content element created the form. It might have
been a plugin.
Masi
More information about the TYPO3-dev
mailing list