Tip-a-friend - Header Injection

2007-01-24T00:00:00
ID TYPO3-20070124-1
Type typo3
Reporter TYPO3 Association
Modified 2007-01-24T00:00:00

Description

A header injection problem has been found in the extension tipafriend

Component Type: Third party extension. The extension is not part of the
TYPO3 default installation

Affected Versions: 1.2.2 and earlier

Vulnerability Type: Header Injection

Severity: *HIGH** *

Problem Description:**
A problem has been discovered in the extension, which allows attackers to send arbitrary mail headers and similar, which can lead to misuse of the extension.

Solution:
An updated version 1.2.3 is available in the extension repository and at typo3.org/extensions/repository/view/tipafriend/1.2.3/

Users of the extension tipafriend are advised to update the extensionimmediately.

General advice:
Follow the recommendations that are given in the TYPO3 Security Cookbook.

Credits:
Thanks to security team members Thorsten Kahler and Andreas Otto, who discovered the issue and provided a fix when reporting it to the security team.