TYPO3-20070124-1: Tip-a-friend - Header Injection

A header injection problem has been found in the extension tipafriend

Component Type: Third party extension. The extension is not part of the
TYPO3 default installation

Affected Versions: 1.2.2 and earlier

Vulnerability Type: Header Injection

Severity: HIGH

Problem Description:
A problem has been discovered in the extension, which allows attackers to send arbitrary mail headers and similar, which can lead to misuse of the extension.

An updated version 1.2.3 is available in the extension repository and at typo3.org/extensions/repository/view/tipafriend/1.2.3/

Users of the extension tipafriend are advised to update the extensionimmediately.

General advice:
Follow the recommendations that are given in the TYPO3 SECURITY Guide.

Thanks to security team members Thorsten Kahler and Andreas Otto, who discovered the issue and provided a fix when reporting it to the security team.