Email header injection

2007-02-21T00:00:00
ID TYPO3-20070221-1
Type typo3
Reporter TYPO3 Association
Modified 2007-02-21T00:00:00

Description

A problem has been discovered where the internal form engine can be used for sending arbitrary mail headers, using it for purposes which it is not meant for.

Component Type: TYPO3 Core

Affected Versions: TYPO3 4.x below 4.0.5, 4.1beta, 4.1RC1, TYPO3 Versions 3.x

Vulnerability Type: Email header injection

Severity: low**

Problem Description:**
The internal form engine can be used for sending arbitrary mail headers, using it for purposes which it is not meant for.

Solution:
Update to TYPO3 version 4.0.5 or later.

Credits:
Credits go to Olivier Dobberkau, Andreas Otto, and Thorsten Kahler, who discovered and supplied a patch for this issue.