[TYPO3-core] RFC: #13439: [FEATURE] Allow marker for Subject and Message in aut-response-message of Mailform
Lars Houmark
lars at houmark.com
Wed Apr 14 03:12:55 CEST 2010
Hi!
> Committed to trunk rev 7360
-1 on this for security reasons!! My local trunk setup does not (like
yours Steffen) send mails atm, so I had to hack some sourcecode to test
this one quickly.
Since the sender will be a visible field in the form, and it is
possible with the tamperdata extension for Fx, or similar, to tamper
the POST request, this opens the possibility of using a form with an
autoresponder as a mailengine for spam or whatever. The entire subject
and body can be modified and so can the receiver. This is good stuff
for a spamming robot.
Please revert this one until we can come up with a method of securing this!
First ideas, get rid of these hidden fields and save it in DB for use
with a form or add a checksum for values (maybe using the
encryptionKey). I would prefer not having it in the form at all. It's
not pretty that way and will always have some way of less secureness
than if it is away from the user control.
Disclaimer: Since I had limited time right now and a limited setup I
might have overlooked something, but my quicktesting allowed my to
tamper the data and have the mail sent to another address with a
completely modified content.
--
Lars Houmark
More information about the TYPO3-team-core
mailing list