Support » Plugins and Hacks » Postie » [Plugin: Postie] All Emails Being Treated As Possible XSS Attacks & Blocked

  • Resolved tempestamedia

    (@tempestamedia)


    Hi All,

    I just installed Postie on my new WordPress website. It was a standard installation, with no special customizations.

    I was able to successfully run a config. test. I then sent several emails from 4 different email accounts (on 2 different email systems) to my Postie email address.

    All of them have been flagged “memory at start of e-mail processing:31648640
    possible XSS attack – ignoring email”

    What’s going on here? All 4 of these email addresses were added as approved posters. All were configured to have all HTML and signatures removed.

    I then logged into the actual email account, being used for Postie. All emails were sitting there and open able, so I know it is not a mail host (origination or destination) issue.

    My guess is that the latest release of Postie is somehow accidentally triggering all these false alarms. The problem is that it is doing it for every email address. I even tried turning off the “Allow anyone to post” option (setting to yes). That still didn’t fix the issue.

    Does anyone have any suggestions on what to do here? I’m at a complete loss.

    Thanks!

    http://wordpress.org/extend/plugins/postie/

Viewing 15 replies - 16 through 30 (of 43 total)
  • Gethin Coles

    (@gcediblemediacomau)


    I agree joel, if you’re posting to a unique email address and only verified people can post, isn’t this security enough? And if the email address does get hacked, isn’t there flood protection? And a simple change of email address should set it straight.

    I removed “|base64” per mathew.weaver in Postie 1.4.4. I still get the error message. However, after some testing, here what I got. The test email I sent to my WordPress did show up my WordPress fine. When I sent my eNewsletter (I use one of the email services), I was unable to get Postie to load into my WordPress. The eNewsletter was still in our group mailbox.

    I removed 1.4.4 and loaded 1.4.3., nothing came out of this – it didn’t work as it should be. Another eNewsletter was sent out this morning, I ended up getting at least 9 posts on WordPress. In further checking, all 9 posts were blank – but I could see “box borderline” with no message. When I opened the Post using editor, I was not seeing anything in the body. When I clicked “Source”, I discovered our eNewsletter header coding but no body content.

    I immediately deactivate Postie (I could change the setting to “Delete email after posting” (see my previous email). I think this is still a problem I had when using earlier Postie 1.4.2. Postie 1.4.2 was working fine until I upgraded WordPress 3.4.0 (or maybe one version earlier I can’t remember).

    I believe something had to do with Postie can’t handle header in eNewsletter. When WordPress 2.x and Postie 1.4.2 were working, I would be able to remove the header and published the content. I also removed the footer.

    I think the problem lies between WordPress 3.4.X and Postie 1.4.2 and later versions – I read somewhere WordPress rewrote WordPress’s core. So conflicts started there.

    I’m frustrated. And I’m sure many others too. I’m sorry to say, I think WordPress management need a better control of how plug-ins are posted and if there are problems within few days, management need to either contact the author or remove the plug-in.

    I forgot to mention in my previous email – Postie is one of a kind plug-ins. I have been searching for a new plug-in – I found one; this plug-in requires me to load into WordPress each time eNewsletter was sent out. I don’t have time to do that. And this plugin is no longer support or available – the company created this plugin is gone.

    It is my hope there would be a paid version which allows more features and on-going upgrade. I believe Postie is one of the best (and still the only one) – I hope the author would do two versions – basic Postie for free and Advance Postie for a fee.

    I modified the ./wp-content/plugins/postie/get_mail.php as recommended by mathew.weaver and it allowed the emails to get processed, but now it’s not taking my attached images and inserting them in the post like it used to.
    Any ideas ?

    Hmmm… Same to me. Only TEXT mails work fine.
    Have installed version 1.4.4.
    POP3 SSL neither working

    Any news from someone to this?

    Regards,
    Knut

    Like many others, I’m having this same problem. I’ve got Postie set as POP3, port 110, and to not delete emails. The test emails I’m sending are from my Gmail account, which is set as an approved email address. Also, the test emails include no images or attachments — text only. 100% are being ignored as possible threats. Very frustrating for such a potentially great plugin.

    I am also having this problem, however I am using a slightly different setup to most. I am publishing from a Gapps email address. When I manually send an email to this account, it gets posted without any problems. However I am also sending emails to this account from a Google Docs spreadsheet using a Google Script (I’m using the spreadsheet to automatically generate the html code that I want to get posted). Any emails sent from the spreadsheet get flagged as possible XSS attacks (and I have added the Gapps account to the approved ‘users’ in Postie).

    If you create a USER with the email that you plan to use, you won’t get that error message again.

    It appears to be a security feature that will prevent illegal emails from being posted. Every email that you want to have post via Postie must have a user account.

    Make sure you set your Author, Editor, etc. status in the settings.

    @joyfulart,

    Then what’s the point of the “Authorized Addresses” section. That section is different than the user, per the description: “Posts from emails in this list will be treated as if they came from the admin. If you would prefer to have users post under their own name – create a WordPress user with the correct access level.”

    This differentiates “authorized users” (addresses who post as the admin) from regular users (addresses who post as themselves).

    That was my thought too – but that’s how I solved the problem. The User settings override the email addresses added in that field.

    Same problem for me. Sure hope there will be an update soon.

    Is it possible to install a older version?

    Hi ncvjensen, you can the old version (1.4.3) on this page: http://wordpress.org/extend/plugins/postie/developers/

    That worked for me to this fix this new issue but I suppose I am vulnerable to attacks. I manually edit and publish user submitted post prior to publishing them so I guess I’m safe as I would be able to catch hidden html in a post before it’s published but be careful.

    I ended up just pulling the entire section of code because, like others, I could not see what was in the plain text mails that was running afoul of the new code. I did @joyfulart‘s suggestion to check/add the user to no avail. I made the change using the plugin editor within WP by commenting out the lines. (// in front of each)

    Probably not the best solution and I’ll continue to follow this thread hoping someone figures it out.

    Here is the postie test log after I removed the XSS code… perhaps someone can comment on what part of “script|onload|meta|base64” this might be running afoul of…

    **********************
    memory at start of e-mail processing:29427464
    Confirming Access For usersname@att.net
    posting as user 2

    Message Id is :<002101cd80de$30b9a420$922cec60$@usersname@att.net>

    primary= multipart, secondary = alternative
    primary= text, secondary = plain

    Post Author: 2
    Date: 2012-08-22 21:20:04
    Category: 3
    Ping Status: open
    Comment Status: closed
    Subject: Where Do You Find?
    Postname: where-do-you-find
    Post Id: 567
    Posted content:

    (large blob here of plain text looking email)

    memory at end of e-mail processing:29512368
    **********************

    @dsmythe – What section of code did you pull/comment out?

    I pulled all of this:

    // check for XSS attacks - we disallow any javascript, meta, onload, or base64
        if (preg_match("/.*(script|onload|meta|base64).*/is", $email)) {
          echo "possible XSS attack - ignoring email\n";
          continue;
        }
Viewing 15 replies - 16 through 30 (of 43 total)
  • The topic ‘[Plugin: Postie] All Emails Being Treated As Possible XSS Attacks & Blocked’ is closed to new replies.