WordPress.org

Ready to get started?Download WordPress

Forums

Postie
[resolved] All Emails Being Treated As Possible XSS Attacks & Blocked (44 posts)

  1. Dsmythe
    Member
    Posted 1 year ago #

    I pulled all of this:

    // check for XSS attacks - we disallow any javascript, meta, onload, or base64
        if (preg_match("/.*(script|onload|meta|base64).*/is", $email)) {
          echo "possible XSS attack - ignoring email\n";
          continue;
        }
  2. Gethin Coles
    Member
    Posted 1 year ago #

    removed that xss code, and now get
    Invalid sender: ! Not adding email!
    A copy of the message has been forwarded to the administrator.
    Ignoring email - not authorized.
    memory at end of e-mail processing:29819520

    despite the sender being listed AND also the admin

    ho hum

  3. mnemeth
    Member
    Posted 1 year ago #

    Thank you mathew.weaver; doing explicitly what you suggested worked for me.

  4. shawnkhall
    Member
    Posted 1 year ago #

    The new anti-xss code will also prevent messages with any of the following words within them from being processed:
    description
    subscription
    scripture
    metabolism
    metallic
    metadata
    as well as over 700 more.

    So forget about telling someone to "manage their subscription" or mention biblical scripture in a message you want Postie to publish to your website.

    I'm reverting to 1.4.3.

    @robfelty - if you want to implement this type of functionality, it *really* needs to have a front-end option for us to disable it.

  5. magicmarcv
    Member
    Posted 1 year ago #

    I just played around a bit. I'm using apple mail app, so that might have something to do with it.

    While I removed both "base64" and "meta" it started working for me.

    A security risk, but I've had any problems so far. And if I do, I'll address it then.

    Thanks for the help of the community

  6. shawnkhall
    Member
    Posted 1 year ago #

    What users should understand is that this is only a security risk *if* none of the existing options to prevent unauthorized content are used. You should be using a unique email address for the target address, and a specific authorized sender email address, or allowed SMTP servers or any of the other methods to ensure validity of the content before posting. If you're already doing that, then this "feature" will only introduce problems for legitimate messages - such as blacklisting common terms in the content or attachments.

  7. simsketch
    Member
    Posted 1 year ago #

    I pulled lines 36-40 (commented them out with "//") and I was able to make posts again.

  8. Valdars
    Member
    Posted 1 year ago #

    I also ended up commenting out antiXSS check code, mainly because i trust my sender authorization settings. But reason why antiXSS check causes problem is that it checks for usage of "meta" and "base64", both of which are frequently used for legit reasons. I hope plugin author finds some better way for handling antiXSS check.

  9. Maison Cupcake
    Member
    Posted 1 year ago #

    I've only installed postie today and although it's showing emailed post titles ok, neither images nor text are being displayed.

    My geekiness has its limits - I can't understand why emailing to WP is so hard when it was one of the few things Blogger did properly.

  10. scottdennison
    Member
    Posted 1 year ago #

    I ended up deleting and reinstalling the previous version 1.4.3 and now all works just fine. Seeking input from @http://profiles.wordpress.org/robfelty/ to address the XSS errors issue that comes with the latest version.

    As a power user/blogger, trying to move stories from Google reader, via IFTTT to Postie and to my blog, I would be excited to hear that he's decided to monetize his project with a pro level at a Buffer type price (Awesome is $10/mo).

    What say you Mr Felty?

  11. benchwarmer
    Member
    Posted 1 year ago #

    I commented out the code. It's completely frivolous for me. All posts come in through a single-source email address tied to multiple broadcast only listservs (meaning I control the messaging at all levels). The risk of an XSS attack, at least for me, is essentially zero.

    Commenting out did restore functionality.

  12. Wayne Allen
    Member
    Plugin Author

    Posted 1 year ago #

    1.4.5 has fixed this XSS issue

  13. terrykiwi
    Member
    Posted 1 year ago #

    I just installed Postie for the first time and have been struggling with this issue. It is v1.4.5, so it is NOT fixed.

  14. Wayne Allen
    Member
    Plugin Author

    Posted 1 year ago #

    1.4.5 did fix some XSS issues, but clearly not all. 1.4.6 will be doing this differently.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic