[Typo3-announce] TYPO3 Security Bulletin: mailforms (TYPO3-20050307-1)

[Ekkehard Gümbel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Security Bulletin TYPO3-20050307-1
http://typo3.org/typo3-20050307-1.html

Component Type: Core 


Affected Component: mailforms 


Version: 3.7.0 and earlier
Vulnerability Type: Potential Spam Abuse
Severity: Low

Problem Description:
Unless the default encryption key settings have been changed to a
long enough value by the administrator, mailforms can be compromised
to send mail to a wrong receipient. Thus, spam mails may be sent from
a remote site. 


Solution:
An extension security_formmail is provided that enhances the mailform
behaviour to a secure manner.

You can find it on
typo3.org/extensions/repository/list/security_formmail
or simply download and install it using the TYPO3 Extension Manager. 


Aditional information:
Please also make sure that the strictFormmail ( [FE][strictFormmail]
) switch is activated (default setting in 3.7.0).

For developers, the mailform modifications will be applied to the CVS
version of the TYPO3 core. Thus, the security_formmail extension will
not be needed in future versions of TYPO3.

Administrators are generally advised to set a unique encryptionKey (
[SYS][encryptionKey] ) in the TYPO3 install tool, longer then the
longest value encrypted with it (e.g. for email addresses normally 48
char should be sufficient). This can also be used a workaround if you
do not want to apply the security_formmail extension. Please be aware
that since this changes the cHash value, simulateStatic URLs may be
invalidated. 


Credits:
Thanks to Peter Stamfest for pointing out this issue to us.



Regards,
Ekkehard Guembel
TYPO3 Security Team


- -> This information comes with ABSOLUTELY NO WARRANTY.
- -> Visit http://typo3.org/teams/security/security-bulletins

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3

iQA/AwUBQixkLaTmi1gh+z/VEQLk4gCg85vy2KOU0CAin5c5A9daqYvmVk0Anjrs
/aDDmXXf5zz77m3NwYCKP1Vx
=aCZl
-----END PGP SIGNATURE-----