WordPress.org

Ready to get started?Download WordPress

Forums

Postie
Deletes Email but doesn't post (21 posts)

  1. mcmillad
    Member
    Posted 1 year ago #

    I installed postie yesterday and was able to post twice via email. Today when I try, postie goes in and deletes the email but does not post the content. I haven't changed anything. Anyone else having this problem or know how to fix it? Using WordPress 3.4.1 and the latest postie version.

    http://wordpress.org/extend/plugins/postie/

  2. ariwinokur
    Member
    Posted 1 year ago #

    I am having the same issue but only with certain users. Anyone have any insight on this?!

  3. Strictly Software
    Member
    Posted 1 year ago #

    I am having the same problem it seems to be a regular expression that fixes XSS attacks which is on line 38 of postie_getmail.php

    if (preg_match("/.*(script|onload|meta|base64).*/is", $email)) {
          echo "possible XSS attack - ignoring email\n";
          continue;
     }

    I tested this by echoing out the full email when running the "Check for mail manually" option in the config area and outputting the full email before the regex test.

    As the email is base64 encoded (well mine is anyway) the full headers are shown at the top of the encoded email e.g

    Return-Path:
    X-Original-To: xx12autopost230.sitename@domain-name.com
    Delivered-To: xx12autopost230.sitename@domain-name.com
    Received: from smtp-relay-2.myrelay (smtp-relay-2.myrelay [111.11.3.197])
    	by domain-name.com (Postfix) with ESMTP id 8497724009C
    	for ; Mon, 22 Oct 2012 05:49:32 +0000 (UTC)
    Received: from xxxxxxx (unknown [11.1.1.1])
    	by smtp-relay-2.myrelay (Postfix) with ESMTP id 9E3B495733
    	for ; Mon, 22 Oct 2012 06:45:30 +0100 (BST)
    MIME-Version: 1.0
    From: admin@sitename.com
    To: xx12autopost230.sitename@domain-name.com
    Date: 22 Oct 2012 06:46:28 +0100
    Subject: Subject: [My Subject Category1] [My Subject Category2] Title of Email
     October 2012
    Content-Type: text/html; charset=utf-8
    Content-Transfer-Encoding: base64
    Message-Id: <20121022054530.9E3B495733@smtp-relay-2.myrelay>
    
    PHA+PHN0cm9uZz5ZZXN0ZXJkYXlzIG1lbWJlcnMgaGFkIGFjY2VzcyB0byA0NSB0aXBzIGFj
    cm9zcyA4IGRpZmZlcmVudCBzeXN0ZW1zLjwvc3Ryb25nPjwvcD48cD5JZiB5b3UgaGFkIHBs
    YWNlZCBhIEJldGZhaXIgbWluaW11bSBiZXQgb2YgJnBvdW5kOzIuMDAgb24gZWFjaCBiZXQg
    PHN0cm9uZz5vbiBFVkVSWSBzeXN0ZW08L3N0cm9uZz4gKExheXMsIFBsYWNlIERvdWJsZXMs
    IFdpbnMgZXRjKSB0aGF0IGhhZCBhbiBTUCBsZXNzIHRoYW4gMTkvMSBhdCB0aGUgdGltZSBJ
    
    (I've just shown a bit of the message base64 encoded)

    As you can see if you do a search for one of the strings he is searching for base64 as a word not in a script context e.g base64("PHA+PHN0cm9");

    Therefore just doing a basic string search for these words

    (script|onload|meta|base64)

    Will mean you will find it in the header e.g

    Content-Transfer-Encoding: base64

    You will also fail over for XSS hacks that don't exist if you mention the word script, onload or meta in your email which is highly possible.

    Therefore the email will fail the test even though there is no XSS attack.

    You can either remove the word from the regex (or the whole test) or to keep an XSS test that is more valid and uses a more complicated regular expression which I have done you can replace the code with the code below.

    Not only does this mean that it won't fail over when the words are mentioned in headers but it actually looks for the correct usage of the hack and not just the word appearing e.g instead of looking for "script" it will look for <script %3Cscript </script %3Cscript (URL encoded versions which are common XSS hacks)

    I have also added some more known attack vectors such as eval( document. .createElement and .cookie but as you can see I have all prefixed or suffixed them with a bracket or dot which is how they would be used in JavaScript/PHP.

    if(preg_match("@((%3C|<)/?script|meta|document\.|\.cookie|\.createElement|onload\s*=|(eval|base64)\()@is",$email))

    This also tests for <script or <meta and onload= or onload = and base64( as its a function it must start with a bracket (.

    This has solved the problem for me and kept in the XSS attack defence however if you are passing HTML emails containing Javascript to your site just beware that if you use any of these functions they might be flagged up.

    I have tested each attack vector but let me know of any problems with the regular expression - it doesn't need the .* before or after as that will just use up more memory as its looking for any character that may or may not be there (the longer the code - the more memory used)

    Also if you are having issues with categories being supplied in the subject line and not appearing then read my article on fixing that >> http://blog.strictly-software.com/2012/03/fixing-postie-plugin-for-wordpress-to.html

  4. Strictly Software
    Member
    Posted 1 year ago #

    Sorry that regular expression is missing an angled bracket for the META part.

    if(preg_match("@((%3C|<)/?script|<meta|document\.|\.cookie|\.createElement|onload\s*=|(eval|base64)\()@is",$email))
          echo "possible XSS attack - ignoring email\n";
          continue;
    }

    I have put an article up about it > http://blog.strictly-software.com/2012/10/fixing-postie-wordpress-plugin-for-xss.html

  5. Strictly Software
    Member
    Posted 1 year ago #

    By the way as someone spotted on my blog there is a missing } on the first line so it should be this

    if(preg_match("@((%3C|<)/?script|<meta|document\.|\.cookie|\.createElement|onload\s*=|(eval|base64)\()@is",$email)){
    	echo "possible XSS attack - ignoring email\n";
    	continue;
    }
  6. DaveofDC
    Member
    Posted 1 year ago #

    Strictly Software,

    I removed 1.4.4 and reinstalled 1.4.3. But nothing work. 1.4.3 is posting with blank content. 1.4.3 used to work with older WordPress version, but not any longer with current.

    I've had a bad experience with 1.4.4 and I'm afraid to upgrade again.

    My question-- should I give it a try and upgrade 1.4.4 one more time? or do you have suggestion how I can fix 1.4.3?

    I still have emails sitting in our Inbox that I want to post on our WordPress.

    FYI -- I'm no programmer (well, I used to major programming using mainframe -- so this is programming).

  7. Strictly Software
    Member
    Posted 1 year ago #

    Have you tried the fix I provided.

  8. Wayne Allen
    Member
    Plugin Author

    Posted 1 year ago #

    1.4.5 includes fixes to the false XSS detection.

  9. Strictly Software
    Member
    Posted 1 year ago #

    Do you mean it includes a different fix to the fix that was previously there and didn't work?
    Does it handle headers in the email and other false positives as the regular expression I provided tries to do?

    Thanks

  10. Wayne Allen
    Member
    Plugin Author

    Posted 1 year ago #

    It is using your regex.

  11. DaveofDC
    Member
    Posted 1 year ago #

    Wow, glad we have new maintainer, I'm looking forward to give this a try (don't know why I didn't get any notice of upgrade plugin). Just been reading all support questions -- I'll wait a day or two before downloading in case a quick fix to 1.4.5.

    One question -- will this plugin remove header and footer our organization sent out email blast? I tried using the :start and :end -- but it never work. I may not understand what I'm suppose to do.

    In past, I have to open each post and remove both header and footer. I just want to keep the subject and content of email.

    Thanks and am looking forward working with you (and all others). This is long overdue and will provide you feedback and/or suggestions for future enhancements if you like.

    Dave

  12. Wayne Allen
    Member
    Plugin Author

    Posted 1 year ago #

    It would be great if you could send a sample email to postie-test@devzing.com so I could better see what is happening.

  13. DaveofDC
    Member
    Posted 1 year ago #

    Wayne I sent you two emails over the weekend.

  14. Wayne Allen
    Member
    Plugin Author

    Posted 1 year ago #

    Thanks, I did get them. By chance does the same problem happen if you forward a copy to your install vs. receiving the original unforwarded email?

  15. DaveofDC
    Member
    Posted 1 year ago #

    It worked -- however, our group did an email blast this morning and it didn't show up for me to post.

    I do not know if the problem is coming our email provider or not.

  16. Wayne Allen
    Member
    Plugin Author

    Posted 1 year ago #

    Is it possible to get postie-test@devzing.com added to the distribution list. I've love to see them as received.

    Also I've noticed that at least for gmail I can choose to not delete emails and Postie will not reprocess them. Might be worth a quick test on your mail server. That way you can be certain what arrived.

    I am planning to add a bunch more logging to Postie so you can see what is happening when things go wrong.

    Wayne

  17. DaveofDC
    Member
    Posted 1 year ago #

    Done. I also sent you an email giving you our secret email address to send to our WordPress.

  18. Wayne Allen
    Member
    Plugin Author

    Posted 1 year ago #

    Thanks

  19. DaveofDC
    Member
    Posted 1 year ago #

    Wayne, ran another email blast this morning and it didn't work. I did the manual run and got XSS warning message. I'm not sure if it's the same XSS problems mentioned above (by Strictly Software). Should I deactivate my plugin until a fix is available? Or try to do what Strictly Software suggested? Thanks so much in advance.

  20. Strictly Software
    Member
    Posted 1 year ago #

    Hi you would need to send me your whole email as echo'd out just before the XSS test for me to see what is triggering the error.

    You could be passing actual META tags in your source which would be a legitimate firing of the error message or actual script in your HTML.

    The only way if you are to not fire the message is to either remove the test or don't pass them across.

    The XSS fix worked for me and it was due to the word Base64 occurring in the email headers so now the new regex I put in doesnt fire and it works. However if you are using a different mail server to me or passing HTML that includes script or META tags then you could be firing the test. The only way to know is to make a simple test with the full content of your email as it appears on the admin screen when you "run Postie manually" and then break down the regular expression to see what part of your email content is causing it to fire.

    Thanks

  21. DaveofDC
    Member
    Posted 1 year ago #

    Just forwarded you a copy of the eNews we sent out this morning (got your email address from your website). Let me know if you got it. Thanks a million!!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic