WordPress.org

Ready to get started?Download WordPress

Forums

Postie
[resolved] All Emails Being Treated As Possible XSS Attacks & Blocked (44 posts)

  1. tempestamedia
    Member
    Posted 1 year ago #

    Hi All,

    I just installed Postie on my new WordPress website. It was a standard installation, with no special customizations.

    I was able to successfully run a config. test. I then sent several emails from 4 different email accounts (on 2 different email systems) to my Postie email address.

    All of them have been flagged "memory at start of e-mail processing:31648640
    possible XSS attack - ignoring email"

    What's going on here? All 4 of these email addresses were added as approved posters. All were configured to have all HTML and signatures removed.

    I then logged into the actual email account, being used for Postie. All emails were sitting there and open able, so I know it is not a mail host (origination or destination) issue.

    My guess is that the latest release of Postie is somehow accidentally triggering all these false alarms. The problem is that it is doing it for every email address. I even tried turning off the "Allow anyone to post" option (setting to yes). That still didn't fix the issue.

    Does anyone have any suggestions on what to do here? I'm at a complete loss.

    Thanks!

    http://wordpress.org/extend/plugins/postie/

  2. Gethin Coles
    Member
    Posted 1 year ago #

    me too (although for me I get this message if I set "delte mail after posting to no. If its set to yes it doesn't see any mail at all).

  3. j4m1eb
    Member
    Posted 1 year ago #

    I'm having the exact same problem, worked for me previously.

  4. rocknrollstar2
    Member
    Posted 1 year ago #

    Yes, same thing! Any fixes welcome.
    Simply get "possible XSS attack - ignoring email"

  5. ruffhouse
    Member
    Posted 1 year ago #

    I started getting the error too after latest upgrade to Version 1.4.4.

    EMAIL SUBJECT: Unauthorized Post Attempt from Root User <root@localhost>

    If you wish to allow posts from this address, please add Root User <root@localhost> to the registered users list and manually add the content of the e-mail found below.

    Otherwise, the e-mail has already been deleted from the server and you can ignore this message

  6. mwaldegg
    Member
    Posted 1 year ago #

    Hey!

    May I've found a worarround for the XSS Problem:

    I had exactly the same problem since the last update of postie...

    What works for me:

    I've simply changed the mailserver to pop3 instead of imap just to test it (i use googlemail, wich supports both) and now everything works fine!

    So, my you can try this as a workaround too, if your mail-server is running pop3...

    kind regards from Austria

  7. rocknrollstar2
    Member
    Posted 1 year ago #

    @mwaldegg

    Thanks for your help. Unfortunately this didn't work for me. I had tried that already though. I too am on gmail, but it's a google apps email, so not sure if it makes any difference. Are you using pop3 ssl?

    However, I have noticed that the error only happens when I am attaching an image file. Did a few tests, came up with the following

    JPG: "possible XSS attack - ignoring email"
    GIF: "possible XSS attack - ignoring email"
    PDF: works fine
    DOC: took ages with a 500kb doc, but added as attachment ok.

    Any ideas? Thank you :)

  8. mwaldegg
    Member
    Posted 1 year ago #

    Hey

    I'm using a goggle apps adress too! And yes, via pop3 ssl!

    My tests came up with the same result as yours. Mails without images worked fine. But, however, some jpgs worked never, and some other sometimes worekd and sometimes not..

    With pop3 ssl I've tested about 50 mails with a lot of different images and all worked without problems.

  9. rocknrollstar2
    Member
    Posted 1 year ago #

    @mwaldegg
    Just to be clear-

    some jpgs worked never
    and
    all worked without problems

    Which one?

    I've just downloaded the previous version 1.4.3, and my first gif attachment worked fine.

  10. mwaldegg
    Member
    Posted 1 year ago #

    Hey,

    When i use pop3 ssl (gmail) all mails with all images work fine.

    With imap ssl (gmail) some mails with attached jpg worked never and different jpgs sometimes worked without XSS error and the next time i tried the same mail with the same image the didn't work.

    1.4.3 should work, because the problematic "feature" with prevention of XSS attacks was implemented in the newest version.

  11. DaveofDC
    Member
    Posted 1 year ago #

    I'm having same problem -- I'm now using 1.4.4.

    I'm getting the XSS error message. I can't get anything posted on WordPress.

    First, change the settings in Postie "Delete email after posting" to NO. It's default to yes -- the email will not posted and disappeared. It's good to keep the email in case solution is found with this latest plugin.

    My host does support IMAP, I don't have the option to change from POP3. Am I missing something here?

    I hope the Postie author will come out with a solution ASAP.

  12. Coach Karl Ruegg
    Member
    Posted 1 year ago #

    Same here!
    Was running like a charm until a few days ago.
    Now getting this error message: "possible XSS attack - ignoring email"
    I am glad to know that I am not the only person struggling with this and hope that the issue will be resolved soon.
    Karl

  13. ruffhouse
    Member
    Posted 1 year ago #

    I did not find a solution but am able to use the old version (1.4.3) on this page without problems: http://wordpress.org/extend/plugins/postie/developers/

  14. mathew.weaver
    Member
    Posted 1 year ago #

    It appears that the recent (v1.4.4) XSS attack fix is a little aggressive and blocks all base64 attachments. Many email client applications encode attachments as base64, and Postie v1.4.4 is now blocking base64 attachments.

    Here is the fix:

    - Open ./wp-content/plugins/postie/get_mail.php
    - Go to line 36, you will see

    // check for XSS attacks - we disallow any javascript, meta, onload, or base64
        if (preg_match("/.*(script|onload|meta|base64).*/is", $email)) {
          echo "possible XSS attack - ignoring email\n";
          continue;
        }

    - On line 37, remove "|base64" so it looks like this:

    // check for XSS attacks - we disallow any javascript, meta, onload, or base64
        if (preg_match("/.*(script|onload|meta).*/is", $email)) {
          echo "possible XSS attack - ignoring email\n";
          continue;
        }

    - Save the file (make sure to upload the change if you are modifying the file on your local machine)

    With that fix, the attachments come through as expected.

  15. joelthetroll
    Member
    Posted 1 year ago #

    I'm removing this from my plugin copy because it is finding 2 matches:
    1. The majority of the email headers (just in one huge block so this regex is invalid from what I can tell)
    2. Meta, but it isn't anywhere in the email.

    I don't see how I would have to worry about xss if only my blog authors and contributors can use Postie.

    I recommend you put an option on the first menu to disable this "security feature." I don't want to have to edit the plugin every time it gets updated (with features that might actually add security, xss is really the least of my worries), since I am working on a project for another company and don't want to have to deal with minor issues like this.

    Thanks, the plugin has worked great sans this minor issue.

  16. joelthetroll
    Member
    Posted 1 year ago #

    If the author wants I'll make the option and send him the code since I'm special requesting it.

  17. Gethin Coles
    Member
    Posted 1 year ago #

    I agree joel, if you're posting to a unique email address and only verified people can post, isn't this security enough? And if the email address does get hacked, isn't there flood protection? And a simple change of email address should set it straight.

  18. DaveofDC
    Member
    Posted 1 year ago #

    I removed "|base64" per mathew.weaver in Postie 1.4.4. I still get the error message. However, after some testing, here what I got. The test email I sent to my WordPress did show up my WordPress fine. When I sent my eNewsletter (I use one of the email services), I was unable to get Postie to load into my WordPress. The eNewsletter was still in our group mailbox.

    I removed 1.4.4 and loaded 1.4.3., nothing came out of this – it didn't work as it should be. Another eNewsletter was sent out this morning, I ended up getting at least 9 posts on WordPress. In further checking, all 9 posts were blank – but I could see "box borderline" with no message. When I opened the Post using editor, I was not seeing anything in the body. When I clicked "Source", I discovered our eNewsletter header coding but no body content.

    I immediately deactivate Postie (I could change the setting to "Delete email after posting" (see my previous email). I think this is still a problem I had when using earlier Postie 1.4.2. Postie 1.4.2 was working fine until I upgraded WordPress 3.4.0 (or maybe one version earlier I can't remember).

    I believe something had to do with Postie can't handle header in eNewsletter. When WordPress 2.x and Postie 1.4.2 were working, I would be able to remove the header and published the content. I also removed the footer.

    I think the problem lies between WordPress 3.4.X and Postie 1.4.2 and later versions – I read somewhere WordPress rewrote WordPress's core. So conflicts started there.

    I'm frustrated. And I'm sure many others too. I'm sorry to say, I think WordPress management need a better control of how plug-ins are posted and if there are problems within few days, management need to either contact the author or remove the plug-in.

  19. DaveofDC
    Member
    Posted 1 year ago #

    I forgot to mention in my previous email – Postie is one of a kind plug-ins. I have been searching for a new plug-in – I found one; this plug-in requires me to load into WordPress each time eNewsletter was sent out. I don't have time to do that. And this plugin is no longer support or available – the company created this plugin is gone.

    It is my hope there would be a paid version which allows more features and on-going upgrade. I believe Postie is one of the best (and still the only one) – I hope the author would do two versions – basic Postie for free and Advance Postie for a fee.

  20. SimonNWalker
    Member
    Posted 1 year ago #

    I modified the ./wp-content/plugins/postie/get_mail.php as recommended by mathew.weaver and it allowed the emails to get processed, but now it's not taking my attached images and inserting them in the post like it used to.
    Any ideas ?

  21. LiveKnut
    Member
    Posted 1 year ago #

    Hmmm... Same to me. Only TEXT mails work fine.
    Have installed version 1.4.4.
    POP3 SSL neither working

    Any news from someone to this?

    Regards,
    Knut

  22. jrothra
    Member
    Posted 1 year ago #

    Like many others, I'm having this same problem. I've got Postie set as POP3, port 110, and to not delete emails. The test emails I'm sending are from my Gmail account, which is set as an approved email address. Also, the test emails include no images or attachments -- text only. 100% are being ignored as possible threats. Very frustrating for such a potentially great plugin.

  23. Maffyou
    Member
    Posted 1 year ago #

    I am also having this problem, however I am using a slightly different setup to most. I am publishing from a Gapps email address. When I manually send an email to this account, it gets posted without any problems. However I am also sending emails to this account from a Google Docs spreadsheet using a Google Script (I'm using the spreadsheet to automatically generate the html code that I want to get posted). Any emails sent from the spreadsheet get flagged as possible XSS attacks (and I have added the Gapps account to the approved 'users' in Postie).

  24. JoyfulArt
    Member
    Posted 1 year ago #

    If you create a USER with the email that you plan to use, you won't get that error message again.

    It appears to be a security feature that will prevent illegal emails from being posted. Every email that you want to have post via Postie must have a user account.

    Make sure you set your Author, Editor, etc. status in the settings.

  25. jrothra
    Member
    Posted 1 year ago #

    @JoyfulArt,

    Then what's the point of the "Authorized Addresses" section. That section is different than the user, per the description: "Posts from emails in this list will be treated as if they came from the admin. If you would prefer to have users post under their own name - create a WordPress user with the correct access level."

    This differentiates "authorized users" (addresses who post as the admin) from regular users (addresses who post as themselves).

  26. JoyfulArt
    Member
    Posted 1 year ago #

    That was my thought too - but that's how I solved the problem. The User settings override the email addresses added in that field.

  27. ncvjensen
    Member
    Posted 1 year ago #

    Same problem for me. Sure hope there will be an update soon.

    Is it possible to install a older version?

  28. ruffhouse
    Member
    Posted 1 year ago #

    Hi ncvjensen, you can the old version (1.4.3) on this page: http://wordpress.org/extend/plugins/postie/developers/

    That worked for me to this fix this new issue but I suppose I am vulnerable to attacks. I manually edit and publish user submitted post prior to publishing them so I guess I'm safe as I would be able to catch hidden html in a post before it's published but be careful.

  29. Dsmythe
    Member
    Posted 1 year ago #

    I ended up just pulling the entire section of code because, like others, I could not see what was in the plain text mails that was running afoul of the new code. I did @joyfulart's suggestion to check/add the user to no avail. I made the change using the plugin editor within WP by commenting out the lines. (// in front of each)

    Probably not the best solution and I'll continue to follow this thread hoping someone figures it out.

    Here is the postie test log after I removed the XSS code... perhaps someone can comment on what part of "script|onload|meta|base64" this might be running afoul of...

    **********************
    memory at start of e-mail processing:29427464
    Confirming Access For usersname@att.net
    posting as user 2

    Message Id is :<002101cd80de$30b9a420$922cec60$@usersname@att.net>

    primary= multipart, secondary = alternative
    primary= text, secondary = plain

    Post Author: 2
    Date: 2012-08-22 21:20:04
    Category: 3
    Ping Status: open
    Comment Status: closed
    Subject: Where Do You Find?
    Postname: where-do-you-find
    Post Id: 567
    Posted content:

    (large blob here of plain text looking email)

    memory at end of e-mail processing:29512368
    **********************

  30. jrothra
    Member
    Posted 1 year ago #

    @Dsmythe - What section of code did you pull/comment out?

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic