Go to: typo3.com Home TYPO3 Association Home typo3.org Home Certification FLOW3 Bugtracker Forge (Development Platform) News Buzz (TYPO3 Blogs) Wiki Mailing lists TYPO3 Snippets

Search:

Component Type: TYPO3 Core

Affected Versions: TYPO3 4.x below 4.0.5, 4.1beta, 4.1RC1, TYPO3 Versions 3.x

Vulnerability Type: Email header injection

Severity: low

Problem Description:
The internal form engine can be used for sending arbitrary mail headers, using it for purposes which it is not meant for. 

Solution:
Update to TYPO3 version 4.0.5 or later.

Credits:
Credits go to Olivier Dobberkau, Andreas Otto, and Thorsten Kahler, who discovered and supplied a patch for this issue.