TYPO3 Mailingliste: nicht fragen - lesen!

Dear users of TYPO3,

A problem has been discovered where the internal form engine can be
used for sending arbitrary mail headers, using it for purposes which
it is not meant for.

==== Component Type ====
TYPO3 Core

==== Affected Versions ====
Below 4.0.5, 4.1beta, 4.1RC1

==== Vulnerability Type ====
Email header injection

==== Severity ====
low

==== Solution ====
Update to TYPO3 version 4.0.5 or later by downloading it at:
http://typo3.org/download/packages/

==== General advice ====
Follow the recommendations that are given in the TYPO3 Security
Cookbook, which can be found on:
http://typo3.org/teams/security/

==== Credits ====
Credits go to Olivier Dobberkau, Andreas Otto, and Thorsten Kahler,
who discovered and supplied a patch for this issue.

The just released version 4.0.5, contains a lot of other non-security
related fixes, so an upgrade is highly recommended in any situation.

Regards,

Lars Houmark
TYPO3 security team


_______________________________________________
TYPO3-dev mailing list
TYPO3-dev (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/...info/typo3-dev

Lars Houmark wrote:
> Dear users of TYPO3,
>
> A problem has been discovered where the internal form engine can be used
> for sending arbitrary mail headers, using it for purposes which it is
> not meant for.
>
> ==== Component Type ====
> TYPO3 Core
>
> ==== Affected Versions ====
> Below 4.0.5, 4.1beta, 4.1RC1

Does that mean that Versions 3.8.x are also affected?

Thanks,

Luc
_______________________________________________
TYPO3-dev mailing list
TYPO3-dev (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/...info/typo3-dev

Hi Luc,

Luc de Louw wrote:
> > ==== Affected Versions ====
> > Below 4.0.5, 4.1beta, 4.1RC1
> Does that mean that Versions 3.8.x are also affected?

Yes. Every release that was made before 4.0.5 is affected.


Cheers,
Andreas

_______________________________________________
TYPO3-dev mailing list
TYPO3-dev (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/...info/typo3-dev

Lars Houmark schrieb:

> A problem has been discovered where the internal form engine can be used
> for sending arbitrary mail headers, using it for purposes which it is
> not meant for.
> ==== Severity ====
> low
>
> ==== Solution ====
> Update to TYPO3 version 4.0.5 or later by downloading it at:
> http://typo3.org/download/packages/

Thanks for those discovering and fixing this issue.

Are there any ways to fix this issue in older versions without upgrading
to 4.05 ? (like the rte-fix in December 2006 which was provided for
different versions)

Could you explain the risk a bit more specific?
What consequences could a attack have when you rate it with severity low ?

Thanks,
Tom
_______________________________________________
TYPO3-dev mailing list
TYPO3-dev (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/...info/typo3-dev

in Beitrag mailman.1.1172092028.24995.typo3-dev...netfielders.de schrieb
Tom Walter unter t3 (AT) wnets (DOT) de am 21.02.2007 22:07 Uhr:

> Could you explain the risk a bit more specific?
> What consequences could a attack have when you rate it with severity low ?

Hi Tom,

People could tamper with the inputsfields to send spammail thru your server.

Have a look at this:

http://typo3.svn.sourceforge.net/vie...YPO3_4-0-5/t3l
ib/class.t3lib_formmail.php?r1=1646&r2=2144

I am not sure if there is going to be a patch for older versions.

Any takers for a backport?

Olivier

_______________________________________________
TYPO3-dev mailing list
TYPO3-dev (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/...info/typo3-dev

Olivier Dobberkau schrieb:
> in Beitrag mailman.1.1172092028.24995.typo3-dev...netfielders.de schrieb
> Tom Walter unter t3 (AT) wnets (DOT) de am 21.02.2007 22:07 Uhr:
>
>> Could you explain the risk a bit more specific?
>> What consequences could a attack have when you rate it with severity low ?
>
> Hi Tom,
>
> People could tamper with the inputsfields to send spammail thru your server.
>
> Have a look at this:
>
> http://typo3.svn.sourceforge.net/vie...YPO3_4-0-5/t3l
> ib/class.t3lib_formmail.php?r1=1646&r2=2144
>
> I am not sure if there is going to be a patch for older versions.
>
> Any takers for a backport?
>
> Olivier
>

We have diffs for 3.6.2/3.7.1/3.8.1 available. Where to publish as I
couldn't find any in bugs.typo3.org?

Regs. Peter.


--
Fiat lux!
Docendo discimus.
_____________________________
4Many® Services
openBC: http://www.openbc.com/go/invuid/Peter_Russ
_______________________________________________
TYPO3-dev mailing list
TYPO3-dev (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/...info/typo3-dev

Olivier Dobberkau schrieb:
[...]>
> I am not sure if there is going to be a patch for older versions.
>
> Any takers for a backport?
>
> Olivier
>
Diffs for TYPO3 3.6.2/3.7.1/3.8.1 can be found here
http://www.4many.net/81.html

Regs. Peter.

--
Fiat lux!
Docendo discimus.
_____________________________
4Many® Services
openBC: http://www.openbc.com/go/invuid/Peter_Russ
_______________________________________________
TYPO3-dev mailing list
TYPO3-dev (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/...info/typo3-dev

in Beitrag mailman.1.1172143911.25647.typo3-dev...netfielders.de schrieb
Peter Russ unter peter.russ (AT) 4many (DOT) net am 22.02.2007 12:31 Uhr:

> Regs. Peter.

Thanks Peter.

Olivier

_______________________________________________
TYPO3-dev mailing list
TYPO3-dev (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/...info/typo3-dev

Peter Russ schrieb:
> Diffs for TYPO3 3.6.2/3.7.1/3.8.1 can be found here

Great, thanks !
Tom
_______________________________________________
TYPO3-dev mailing list
TYPO3-dev (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/...info/typo3-dev