XSS Attack – How to Fix
-
Every mail client is different.
They all add different headers and no-one here knows what sort of content you are posting to the website if you don’t actually display it in the question/forum.
Therefore the fix for the “XSS Attack” is working for me and I use Thunderbird but I know someone else who uses OUTLOOK that it’s still broken for.
Without seeing what that mailserver is sending the website no-one can really help you – so post the full email (from WordPress)
If you don’t know then here is how to do it.
1. Download the file get_mail.php
2. On line 36 is the code that handles the XSS attack
Notice the line
echo “possible XSS attack – ignoring email\n”;
Change the code so it’s like this
echo "full email === \n\n" . $email . "\n\n"; // check for XSS attacks - we disallow any javascript, meta, onload, or base64 if(preg_match("@((%3C|<)/?script|<meta|document\.|\.cookie|\.createElement|onload\s*=|(eval|base64)\()@is",$email)){ echo "possible XSS attack - ignoring email\n"; continue; }
3. Re-upload the file.
4. Send an email across to your site and ensure it won’t get handled automatically.
5. Run Postie Manually
6. Post the whole response in the forum if you are asking for help. This comes from the first echo statement e.g
echo "full email === \n\n" . $email . "\n\n";
Remember without seeing what Postie is seeing no-one can help you.
The only way to do that is not by sending emails from mail server to mail server before forwarding them to someone as each server is different and will add their own headers and other guff.
This is why I suspect some mail clients are still erroring whilst mine (Thunderbird) and others are working.
If you can run PHP on your local machine (WAMPServer etc) you could create your own test script.
Once you have the email contents you can put it in a test script like so
<?php //$email = "safe bit eval('run'); safe bit"; // remove comments and add them to the line below - this should error the 2nd one shouldnt $email = "nothing to error here"; // run test if(preg_match("@((%3C|<)/?script|<meta|document\.|\.cookie|\.createElement|onload\s*=|(eval|base64)\()@is",$email)){ echo "possible XSS attack - ignoring email"; }else{ echo "no XSS attack"; }
Toggle the comments on the top two $email = “[html]“; on/off to see what response you get.
Your email might have Javascript in it, META tags, or something else that fires the RegEx but without seeing what Postie sees for your OWN mailclient/server I or anyone else cannot help much.
Thanks
Rob
- The topic ‘XSS Attack – How to Fix’ is closed to new replies.