[TYPO3] unidetified "mail form" emails ?!? Big puzzle
Dmitry Dulepov
9f4eetb02 at sneakemail.com
Mon Apr 23 10:22:20 CEST 2007
Hello!
Alper Odabasioglu wrote:
> thank you very much for informing.. we have typo3 version 3.8.1 and I
> guess you are right the latest security news is about mail header
> injection, which describes my situation roughly.. But the solution is
> hard for me to do soon, upgrade to typo3 version4.... I mean to upgrade
> is not that easy and fast, and I have no idea now what I can do through
> some other tricks. I guess to change the page ids of the mailform object
> wouldnT help, as I guess this mail robots probably use the php belonging
> to the internal mail form engine I guess... But I guess there should be
> sth else which might help, other than upgrading to typo3 4... By the way
> I have "Web>Plugins, Direct Mail (direct_mail)" also installed on the
> system and no tipafriend extension...
>
> here some more info:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1081
>
> If you have any suggestion, they are very welcome......
>
>
> @Dear Oliver Dobberkau et al, and Lars, is there a solution or at least
> a half solution for this header injection vulnr. for typo3 3.8.1 other
> than upgrading it to typo3 version4? (Sorry for bothering if you don't
> want to recieve such emails like this)..
This happens even with svn version of typo3, so it is new way to hack
typo3 mailform. Security team is aware, I sent them e-mail and proposed
how to implement possible solutions but they did not answer yet.
Meanwhile I suggest that we stop discussing it here until it is resolved
because each such post gives hackers more and more hints.
--
Dmitry Dulepov
Web: http://typo3bloke.net/
Skype: callto:liels_bugs
"It is our choices, that show what we truly are,
far more than our abilities." (A.P.W.B.D.)
More information about the TYPO3-english
mailing list