[TYPO3] unidetified "mail form" emails ?!? Big puzzle

Dmitry Dulepov 9f4eetb02 at sneakemail.com
Mon Apr 23 10:22:20 CEST 2007


Alper Odabasioglu wrote:
> thank you very much for informing.. we have typo3 version 3.8.1 and I 
> guess you are right the latest security news is about mail header 
> injection, which describes my situation roughly.. But the solution is 
> hard for me to do soon, upgrade to typo3 version4.... I mean to upgrade 
> is not that easy and fast, and I have no idea now what I can do through 
> some other tricks. I guess to change the page ids of the mailform object 
> wouldnT help, as I guess this mail robots probably use the php belonging 
> to the internal mail form engine I guess... But I guess there should be 
> sth else which might help, other than upgrading to typo3 4... By the way 
> I have "Web>Plugins, Direct Mail (direct_mail)" also installed on the 
> system and no tipafriend extension...
> here some more info:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1081
> If you have any suggestion, they are very welcome......
> @Dear Oliver Dobberkau et al, and Lars, is there a solution or at least 
> a half solution for this header injection vulnr. for typo3 3.8.1 other 
> than upgrading it to typo3 version4? (Sorry for bothering if you don't 
> want to recieve such emails like this)..

This happens even with svn version of typo3, so it is new way to hack 
typo3 mailform. Security team is aware, I sent them e-mail and proposed 
how to implement possible solutions but they did not answer yet. 
Meanwhile I suggest that we stop discussing it here until it is resolved 
because each such post gives hackers more and more hints.

Dmitry Dulepov

Web: http://typo3bloke.net/
Skype: callto:liels_bugs

"It is our choices, that show what we truly are,
far more than our abilities." (A.P.W.B.D.)

More information about the TYPO3-english mailing list