[TYPO3] unidetified "mail form" emails ?!? Big puzzle

Alper Odabasioglu unutma at hotmail.com
Mon Apr 23 02:09:19 CEST 2007 

Hi Bernd,

thank you very much for informing.. we have typo3 version 3.8.1 and I guess 
you are right the latest security news is about mail header injection, which 
describes my situation roughly.. But the solution is hard for me to do soon, 
upgrade to typo3 version4.... I mean to upgrade is not that easy and fast, 
and I have no idea now what I can do through some other tricks. I guess to 
change the page ids of the mailform object wouldnT help, as I guess this 
mail robots probably use the php belonging to the internal mail form engine 
I guess... But I guess there should be sth else which might help, other than 
upgrading to typo3 4... By the way I have "Web>Plugins, Direct Mail 
(direct_mail)" also installed on the system and no tipafriend extension...

here some more info:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1081

If you have any suggestion, they are very welcome......


@Dear Oliver Dobberkau et al, and Lars, is there a solution or at least a 
half solution for this header injection vulnr. for typo3 3.8.1 other than 
upgrading it to typo3 version4? (Sorry for bothering if you don't want to 
recieve such emails like this)..


Cheers,
Alper Odabasioglu


On Fri, 20 Apr 2007 17:02:11 +0000, Alper Odabasioglu wrote
with subject "[TYPO3] unidetified "mail form" emails ?!? Big puzzle":

>Hi Everybody,
>
>I am against a very weird situation. I recieve spam mails and they "seem to 
>be" coming through a mailform content element on one page of our website. I 
>say "seem to be", because they really looks like, by means of formatting & 
>content to this malform content emails, however not exactly: the subject is 
>"hello" and the content(the fields of the form) is not exactly the same. 
>First I thought it might be because a spam bot is using an old version of 
>that "mail form" which somehow remained at the website, so scanned the 
>"tt_content" table (hidden, deleted whatever all the possible content 
>element types), however there is no such a "mailform" at our website. Then 
>I thought that maybe this spam email coming is not related with the website 
>at all, but just a same looking one and checked the "message details", 
>however it really looks like it comes from our website(Php-Mailer and the 
>host of my webserver is there). I got really confused, Any ideas?

What TYPO3-version? Do you have any mailing-extensions installed
(mailformplus, tipafriend,...) ? which versions?

have a look at http://typo3.org/teams/security/security-bulletins/

at the first look of your description it came to my mind: you're using an
old TYPO3 where the mailform wasn't checked (and the sender was included in
a hidden field) and so everyone could send mails at his own just building a
similar form using your site as action-target.

>by the way is there a log somewhere, where I can check the forms filled and 
>sent through our website?

no log for the standard-mailform.
maybe a log from your mailer.
--
http://www.bernd-wilke.net

_________________________________________________________________
Her yönüyle sohbetin tadi ancak Messenger ile çikar! 
http://messenger.msn.com/?mkt=tr&DI=3490&XAPID=2584

More information about the TYPO3-english mailing list