XSS Attack – How to Fix

  • Resolved strictly-software

    (@strictly-software)


    11 years, 4 months ago

    Every mail client is different.

    They all add different headers and no-one here knows what sort of content you are posting to the website if you don’t actually display it in the question/forum.

    Therefore the fix for the “XSS Attack” is working for me and I use Thunderbird but I know someone else who uses OUTLOOK that it’s still broken for.

    Without seeing what that mailserver is sending the website no-one can really help you – so post the full email (from WordPress)

    If you don’t know then here is how to do it.

    1. Download the file get_mail.php

    2. On line 36 is the code that handles the XSS attack

    Notice the line

    echo “possible XSS attack – ignoring email\n”;

    Change the code so it’s like this

    echo "full email === \n\n" . $email . "\n\n";
// check for XSS attacks - we disallow any javascript, meta, onload, or base64
if(preg_match("@((%3C|<)/?script|<meta|document\.|\.cookie|\.createElement|onload\s*=|(eval|base64)\()@is",$email)){
      echo "possible XSS attack - ignoring email\n";
      continue;
 }

    3. Re-upload the file.

    4. Send an email across to your site and ensure it won’t get handled automatically.

    5. Run Postie Manually

    6. Post the whole response in the forum if you are asking for help. This comes from the first echo statement e.g

    echo "full email === \n\n" . $email . "\n\n";

    Remember without seeing what Postie is seeing no-one can help you.

    The only way to do that is not by sending emails from mail server to mail server before forwarding them to someone as each server is different and will add their own headers and other guff.

    This is why I suspect some mail clients are still erroring whilst mine (Thunderbird) and others are working.

    If you can run PHP on your local machine (WAMPServer etc) you could create your own test script.

    Once you have the email contents you can put it in a test script like so

    <?php
//$email = "safe bit eval('run'); safe bit";   // remove comments and add them to the line below - this should error the 2nd one shouldnt
$email = "nothing to error here";

// run test
if(preg_match("@((%3C|<)/?script|<meta|document\.|\.cookie|\.createElement|onload\s*=|(eval|base64)\()@is",$email)){
      echo "possible XSS attack - ignoring email";
 }else{
    echo "no XSS attack";
}

    Toggle the comments on the top two $email = “[html]“; on/off to see what response you get.

    Your email might have Javascript in it, META tags, or something else that fires the RegEx but without seeing what Postie sees for your OWN mailclient/server I or anyone else cannot help much.

    Thanks

    Rob

    http://wordpress.org/extend/plugins/postie/

Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Author Wayne Allen

    (@wayneallen-1)

    11 years, 4 months ago

    FYI – I am redoing the XSS logic for the next version.

    Thread Starter strictly-software

    (@strictly-software)

    11 years, 4 months ago

    I will be interested to know what the problem has been as the fix has worked successfully for me.

    Maybe you could have an option in the admin area that allows people to turn XSS detection on/off. So that if they know the emails are coming from a secure source or will be containing full HTML (META tags, JavaScript etc) then they won’t suffer from false positives.

    Seeing that every mail server is different and without seeing the full content of the emails of everyone complaining of the error it is hard to fix the bug for everyone unless you make the regular expressions really tight and use up more memory or give the user the ability to turn them off completely.

    It’s just an idea.

    Plugin Author Wayne Allen

    (@wayneallen-1)

    11 years, 4 months ago

    I will be moving away from regex and using a parser to inspect the html. I am also looking at adding a setting like you describe.

    Thread Starter strictly-software

    (@strictly-software)

    11 years, 4 months ago

    Yes I think an option would be a good idea for those people who want a quick way of solving the issue.

    However I would still be interested to know what sort of posts people are passing in their emails that are causing the regular expression to break as it works fine for me and for every test case I did it on.

    I can only think certain mail clients are either adding extra content or people are actually passing HTML with META tags or SCRIPT tags and code in the email.

    If you do find out I would be interested to know so I can see what was up with the regular expression.

    Thanks

    Plugin Author Wayne Allen

    (@wayneallen-1)

    11 years, 4 months ago

    So far I’ve seen the “document.” get hit the most.

    Thread Starter strictly-software

    (@strictly-software)

    11 years, 4 months ago

    That might be due to certain mail headers that mention document.id in them unless you have seen it inside actual HTML?

    If it was up to me I would split the email headers from the body and then only run XSS checks on the body part.

    Either that or only check for XSS vectors you actually know people have complained about. I don’t know the reason you out the test in there in the first place but someone or yourself must have spotted XSS attacks by someone so you could narrow the tests or build the regular expression up with radio button options eg “test for eval(” , “test for document.” And then only check for the tests the user has selected.

    Another option is to only allow emails from a whitelist of IP addresses or mail hosts to prevent people sending emails to your server from those not in the list.

    The problem with checking for words like eval or document is that you can easily just point variables to them and use those instead. The only real JS vector is Script as without that you can’t run JS anyway.

    Anyway cheers for letting me know.

    Plugin Author Wayne Allen

    (@wayneallen-1)

    11 years, 4 months ago

    We’re thinking along the same lines.

    Thread Starter strictly-software

    (@strictly-software)

    11 years, 4 months ago

    LOL okay cool, I will shut my mouth – it’s your plugin!

    af3

    (@af3)

    11 years, 4 months ago

    Wayne & Rob, thanks for putting attention to this. This is a great plugin but the XSS is stopping it from working as intended. I tried with the latest postie .. the xss is giving warning, yet the posts are all with “tmpPost” — is this intentional to not post anything for now?

    thx guys

    Thread Starter strictly-software

    (@strictly-software)

    11 years, 4 months ago

    Well just for now read the posts and comment out the line that does the test which is explained either in this post or another one about XSS attacks.
    Then just wait until the plugin author writes a new version.
    It obviously works for some mail clients like Thunderbird but not others so just comment out the code and you will be fine but won’t be doing any XSS tests.

    Thanks

    Thread Starter strictly-software

    (@strictly-software)

    11 years, 4 months ago

    Sorry Wayne! That wasn’t really keeping my mouth shut.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘XSS Attack – How to Fix’ is closed to new replies.