[TYPO3] unidetified "mail form" emails ?!? Big puzzle
9f4eetb02 at sneakemail.com
Mon Apr 23 10:22:20 CEST 2007
Alper Odabasioglu wrote:
> thank you very much for informing.. we have typo3 version 3.8.1 and I
> guess you are right the latest security news is about mail header
> injection, which describes my situation roughly.. But the solution is
> hard for me to do soon, upgrade to typo3 version4.... I mean to upgrade
> is not that easy and fast, and I have no idea now what I can do through
> some other tricks. I guess to change the page ids of the mailform object
> wouldnT help, as I guess this mail robots probably use the php belonging
> to the internal mail form engine I guess... But I guess there should be
> sth else which might help, other than upgrading to typo3 4... By the way
> I have "Web>Plugins, Direct Mail (direct_mail)" also installed on the
> system and no tipafriend extension...
> here some more info:
> If you have any suggestion, they are very welcome......
> @Dear Oliver Dobberkau et al, and Lars, is there a solution or at least
> a half solution for this header injection vulnr. for typo3 3.8.1 other
> than upgrading it to typo3 version4? (Sorry for bothering if you don't
> want to recieve such emails like this)..
This happens even with svn version of typo3, so it is new way to hack
typo3 mailform. Security team is aware, I sent them e-mail and proposed
how to implement possible solutions but they did not answer yet.
Meanwhile I suggest that we stop discussing it here until it is resolved
because each such post gives hackers more and more hints.
"It is our choices, that show what we truly are,
far more than our abilities." (A.P.W.B.D.)
More information about the TYPO3-english