WordPress.org

Support

Support » Plugins and Hacks » [Resolved] [Plugin: Postie] All Emails Being Treated As Possible XSS Attacks & Blocked

[Resolved] [Plugin: Postie] All Emails Being Treated As Possible XSS Attacks & Blocked

  • Hi All,

    I just installed Postie on my new WordPress website. It was a standard installation, with no special customizations.

    I was able to successfully run a config. test. I then sent several emails from 4 different email accounts (on 2 different email systems) to my Postie email address.

    All of them have been flagged “memory at start of e-mail processing:31648640
    possible XSS attack – ignoring email”

    What’s going on here? All 4 of these email addresses were added as approved posters. All were configured to have all HTML and signatures removed.

    I then logged into the actual email account, being used for Postie. All emails were sitting there and open able, so I know it is not a mail host (origination or destination) issue.

    My guess is that the latest release of Postie is somehow accidentally triggering all these false alarms. The problem is that it is doing it for every email address. I even tried turning off the “Allow anyone to post” option (setting to yes). That still didn’t fix the issue.

    Does anyone have any suggestions on what to do here? I’m at a complete loss.

    Thanks!

    http://wordpress.org/extend/plugins/postie/

Viewing 15 replies - 1 through 15 (of 43 total)
  • Gethin Coles

    @gcediblemediacomau

    me too (although for me I get this message if I set “delte mail after posting to no. If its set to yes it doesn’t see any mail at all).

    I’m having the exact same problem, worked for me previously.

    Yes, same thing! Any fixes welcome.
    Simply get “possible XSS attack – ignoring email”

    I started getting the error too after latest upgrade to Version 1.4.4.

    EMAIL SUBJECT: Unauthorized Post Attempt from Root User <root@localhost>

    If you wish to allow posts from this address, please add Root User <root@localhost> to the registered users list and manually add the content of the e-mail found below.

    Otherwise, the e-mail has already been deleted from the server and you can ignore this message

    Hey!

    May I’ve found a worarround for the XSS Problem:

    I had exactly the same problem since the last update of postie…

    What works for me:

    I’ve simply changed the mailserver to pop3 instead of imap just to test it (i use googlemail, wich supports both) and now everything works fine!

    So, my you can try this as a workaround too, if your mail-server is running pop3…

    kind regards from Austria

    @mwaldegg

    Thanks for your help. Unfortunately this didn’t work for me. I had tried that already though. I too am on gmail, but it’s a google apps email, so not sure if it makes any difference. Are you using pop3 ssl?

    However, I have noticed that the error only happens when I am attaching an image file. Did a few tests, came up with the following

    JPG: “possible XSS attack – ignoring email”
    GIF: “possible XSS attack – ignoring email”
    PDF: works fine
    DOC: took ages with a 500kb doc, but added as attachment ok.

    Any ideas? Thank you 🙂

    Hey

    I’m using a goggle apps adress too! And yes, via pop3 ssl!

    My tests came up with the same result as yours. Mails without images worked fine. But, however, some jpgs worked never, and some other sometimes worekd and sometimes not..

    With pop3 ssl I’ve tested about 50 mails with a lot of different images and all worked without problems.

    @mwaldegg
    Just to be clear-

    some jpgs worked never

    and

    all worked without problems

    Which one?

    I’ve just downloaded the previous version 1.4.3, and my first gif attachment worked fine.

    Hey,

    When i use pop3 ssl (gmail) all mails with all images work fine.

    With imap ssl (gmail) some mails with attached jpg worked never and different jpgs sometimes worked without XSS error and the next time i tried the same mail with the same image the didn’t work.

    1.4.3 should work, because the problematic “feature” with prevention of XSS attacks was implemented in the newest version.

    I’m having same problem — I’m now using 1.4.4.

    I’m getting the XSS error message. I can’t get anything posted on WordPress.

    First, change the settings in Postie “Delete email after posting” to NO. It’s default to yes — the email will not posted and disappeared. It’s good to keep the email in case solution is found with this latest plugin.

    My host does support IMAP, I don’t have the option to change from POP3. Am I missing something here?

    I hope the Postie author will come out with a solution ASAP.

    Same here!
    Was running like a charm until a few days ago.
    Now getting this error message: “possible XSS attack – ignoring email”
    I am glad to know that I am not the only person struggling with this and hope that the issue will be resolved soon.
    Karl

    I did not find a solution but am able to use the old version (1.4.3) on this page without problems: http://wordpress.org/extend/plugins/postie/developers/

    It appears that the recent (v1.4.4) XSS attack fix is a little aggressive and blocks all base64 attachments. Many email client applications encode attachments as base64, and Postie v1.4.4 is now blocking base64 attachments.

    Here is the fix:

    – Open ./wp-content/plugins/postie/get_mail.php
    – Go to line 36, you will see

    // check for XSS attacks - we disallow any javascript, meta, onload, or base64
        if (preg_match("/.*(script|onload|meta|base64).*/is", $email)) {
          echo "possible XSS attack - ignoring email\n";
          continue;
        }

    – On line 37, remove “|base64” so it looks like this:

    // check for XSS attacks - we disallow any javascript, meta, onload, or base64
        if (preg_match("/.*(script|onload|meta).*/is", $email)) {
          echo "possible XSS attack - ignoring email\n";
          continue;
        }

    – Save the file (make sure to upload the change if you are modifying the file on your local machine)

    With that fix, the attachments come through as expected.

    I’m removing this from my plugin copy because it is finding 2 matches:
    1. The majority of the email headers (just in one huge block so this regex is invalid from what I can tell)
    2. Meta, but it isn’t anywhere in the email.

    I don’t see how I would have to worry about xss if only my blog authors and contributors can use Postie.

    I recommend you put an option on the first menu to disable this “security feature.” I don’t want to have to edit the plugin every time it gets updated (with features that might actually add security, xss is really the least of my worries), since I am working on a project for another company and don’t want to have to deal with minor issues like this.

    Thanks, the plugin has worked great sans this minor issue.

    If the author wants I’ll make the option and send him the code since I’m special requesting it.

Viewing 15 replies - 1 through 15 (of 43 total)
  • The topic ‘[Resolved] [Plugin: Postie] All Emails Being Treated As Possible XSS Attacks & Blocked’ is closed to new replies.