TYPO3-20050307-1: TYPO3 Security Bulletin

Categories: TYPO3 CMS Created by Ekkehard Gümbel
Unless the default encryption key settings have been changed by the administrator, the TYPO3 mailform can be compromised to send mail to a wrong receipient. Thus, spam mails may be sent from a remote site.

Component Type: Core 


Affected Component: mailforms 


Version: 3.7.0 and earlier
Vulnerability Type: Potential Spam Abuse
Severity: Low

Problem Description:
Unless the default encryption key settings have been changed to a long enough value by the administrator, mailforms can be compromised to send mail to a wrong receipient. Thus, spam mails may be sent from a remote site. 


Solution:
An extension security_formmail is provided that enhances the mailform behaviour to a secure manner.

You can find it on typo3.org/extensions/repository/list/security_formmail
or simply download and install it using the TYPO3 Extension Manager. 


Additional information:
Please also make sure that the strictFormmail ( [FE][strictFormmail] ) switch is activated (default setting in 3.7.0).

For developers, the mailform modifications will be applied to the CVS version of the TYPO3 core. Thus, the security_formmail extension will not be needed in future versions of TYPO3.

Administrators are generally advised to set a unique encryptionKey ( [SYS][encryptionKey] ) in the TYPO3 install tool, longer then the longest value encrypted with it (e.g. for email addresses normally 48 char should be sufficient). This can also be used a workaround if you do not want to apply the security_formmail extension. Please be aware that since this changes the cHash value, simulateStatic URLs may be invalidated.  


Credits:
Thanks to Peter Stamfest for pointing out this issue to us.