[TYPO3-announce] TYPO3 Security Bulletin 20070221-1: Email header injection
Lars Houmark
lars at houmark.com
Wed Feb 21 05:58:43 CET 2007
Dear users of TYPO3,
A problem has been discovered where the internal form engine can be
used for sending arbitrary mail headers, using it for purposes which
it is not meant for.
==== Component Type ====
TYPO3 Core
==== Affected Versions ====
Below 4.0.5, 4.1beta, 4.1RC1
==== Vulnerability Type ====
Email header injection
==== Severity ====
low
==== Solution ====
Update to TYPO3 version 4.0.5 or later by downloading it at:
http://typo3.org/download/packages/
==== General advice ====
Follow the recommendations that are given in the TYPO3 Security
Cookbook, which can be found on:
http://typo3.org/teams/security/
==== Credits ====
Credits go to Olivier Dobberkau, Andreas Otto, and Thorsten Kahler,
who discovered and supplied a patch for this issue.
The just released version 4.0.5, contains a lot of other non-security
related fixes, so an upgrade is highly recommended in any situation.
Regards,
Lars Houmark
TYPO3 security team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1930 bytes
Desc: not available
Url : http://lists.netfielders.de/pipermail/typo3-announce/attachments/20070221/5df5118e/attachment.bin
More information about the TYPO3-announce
mailing list