TYPO3-20070124-1: Tip-a-friend - Header Injection

A header injection problem has been found in the extension tipafriend

Component Type: Third party extension. The extension is not part of the
TYPO3 default installation

Affected Versions: 1.2.2 and earlier

Vulnerability Type: Header Injection

Severity: HIGH

Problem Description:
A problem has been discovered in the extension, which allows attackers to send arbitrary mail headers and similar, which can lead to misuse of the extension.

Solution:
An updated version 1.2.3 is available in the extension repository and at typo3.org/extensions/repository/view/tipafriend/1.2.3/

Users of the extension tipafriend are advised to update the extensionimmediately.

General advice:
Follow the recommendations that are given in the TYPO3 SECURITY Guide.

Credits:
Thanks to security team members Thorsten Kahler and Andreas Otto, who discovered the issue and provided a fix when reporting it to the security team.