Unless the default encryption key settings have been changed by the administrator, the TYPO3 mailform can be compromised to send mail to a wrong receipient. Thus, spam mails may be sent from a remote site.
Component Type: Core
Affected Component: mailforms
Version: 3.7.0 and earlier
Vulnerability Type: Potential Spam Abuse
Unless the default encryption key settings have been changed to a long enough value by the administrator, mailforms can be compromised to send mail to a wrong receipient. Thus, spam mails may be sent from a remote site.
An extension security_formmail is provided that enhances the mailform behaviour to a secure manner.
You can find it on typo3.org/extensions/repository/list/security_formmail
or simply download and install it using the TYPO3 Extension Manager.
Please also make sure that the strictFormmail ( [FE][strictFormmail] ) switch is activated (default setting in 3.7.0).
For developers, the mailform modifications will be applied to the CVS version of the TYPO3 core. Thus, the security_formmail extension will not be needed in future versions of TYPO3.
Administrators are generally advised to set a unique encryptionKey ( [SYS][encryptionKey] ) in the TYPO3 install tool, longer then the longest value encrypted with it (e.g. for email addresses normally 48 char should be sufficient). This can also be used a workaround if you do not want to apply the security_formmail extension. Please be aware that since this changes the cHash value, simulateStatic URLs may be invalidated.
Thanks to Peter Stamfest for pointing out this issue to us.