WordPress.org

Support

Support » Plugins and Hacks » Postie » [Resolved] [Plugin: Postie] Deletes Email but doesn't post

[Resolved] [Plugin: Postie] Deletes Email but doesn't post

  • I installed postie yesterday and was able to post twice via email. Today when I try, postie goes in and deletes the email but does not post the content. I haven’t changed anything. Anyone else having this problem or know how to fix it? Using WordPress 3.4.1 and the latest postie version.

    http://wordpress.org/extend/plugins/postie/

Viewing 15 replies - 1 through 15 (of 20 total)
  • I am having the same issue but only with certain users. Anyone have any insight on this?!

    I am having the same problem it seems to be a regular expression that fixes XSS attacks which is on line 38 of postie_getmail.php

    if (preg_match("/.*(script|onload|meta|base64).*/is", $email)) {
          echo "possible XSS attack - ignoring email\n";
          continue;
     }

    I tested this by echoing out the full email when running the “Check for mail manually” option in the config area and outputting the full email before the regex test.

    As the email is base64 encoded (well mine is anyway) the full headers are shown at the top of the encoded email e.g

    Return-Path:
    X-Original-To: xx12autopost230.sitename@domain-name.com
    Delivered-To: xx12autopost230.sitename@domain-name.com
    Received: from smtp-relay-2.myrelay (smtp-relay-2.myrelay [111.11.3.197])
    	by domain-name.com (Postfix) with ESMTP id 8497724009C
    	for ; Mon, 22 Oct 2012 05:49:32 +0000 (UTC)
    Received: from xxxxxxx (unknown [11.1.1.1])
    	by smtp-relay-2.myrelay (Postfix) with ESMTP id 9E3B495733
    	for ; Mon, 22 Oct 2012 06:45:30 +0100 (BST)
    MIME-Version: 1.0
    From: admin@sitename.com
    To: xx12autopost230.sitename@domain-name.com
    Date: 22 Oct 2012 06:46:28 +0100
    Subject: Subject: [My Subject Category1] [My Subject Category2] Title of Email
     October 2012
    Content-Type: text/html; charset=utf-8
    Content-Transfer-Encoding: base64
    Message-Id: <20121022054530.9E3B495733@smtp-relay-2.myrelay>
    
    PHA+PHN0cm9uZz5ZZXN0ZXJkYXlzIG1lbWJlcnMgaGFkIGFjY2VzcyB0byA0NSB0aXBzIGFj
    cm9zcyA4IGRpZmZlcmVudCBzeXN0ZW1zLjwvc3Ryb25nPjwvcD48cD5JZiB5b3UgaGFkIHBs
    YWNlZCBhIEJldGZhaXIgbWluaW11bSBiZXQgb2YgJnBvdW5kOzIuMDAgb24gZWFjaCBiZXQg
    PHN0cm9uZz5vbiBFVkVSWSBzeXN0ZW08L3N0cm9uZz4gKExheXMsIFBsYWNlIERvdWJsZXMs
    IFdpbnMgZXRjKSB0aGF0IGhhZCBhbiBTUCBsZXNzIHRoYW4gMTkvMSBhdCB0aGUgdGltZSBJ
    
    (I've just shown a bit of the message base64 encoded)

    As you can see if you do a search for one of the strings he is searching for base64 as a word not in a script context e.g base64("PHA+PHN0cm9");

    Therefore just doing a basic string search for these words

    (script|onload|meta|base64)

    Will mean you will find it in the header e.g

    Content-Transfer-Encoding: base64

    You will also fail over for XSS hacks that don’t exist if you mention the word script, onload or meta in your email which is highly possible.

    Therefore the email will fail the test even though there is no XSS attack.

    You can either remove the word from the regex (or the whole test) or to keep an XSS test that is more valid and uses a more complicated regular expression which I have done you can replace the code with the code below.

    Not only does this mean that it won’t fail over when the words are mentioned in headers but it actually looks for the correct usage of the hack and not just the word appearing e.g instead of looking for “script” it will look for <script %3Cscript </script %3Cscript (URL encoded versions which are common XSS hacks)

    I have also added some more known attack vectors such as eval( document. .createElement and .cookie but as you can see I have all prefixed or suffixed them with a bracket or dot which is how they would be used in JavaScript/PHP.

    if(preg_match("@((%3C|<)/?script|meta|document\.|\.cookie|\.createElement|onload\s*=|(eval|base64)\()@is",$email))

    This also tests for <script or <meta and onload= or onload = and base64( as its a function it must start with a bracket (.

    This has solved the problem for me and kept in the XSS attack defence however if you are passing HTML emails containing Javascript to your site just beware that if you use any of these functions they might be flagged up.

    I have tested each attack vector but let me know of any problems with the regular expression – it doesn’t need the .* before or after as that will just use up more memory as its looking for any character that may or may not be there (the longer the code – the more memory used)

    Also if you are having issues with categories being supplied in the subject line and not appearing then read my article on fixing that >> http://blog.strictly-software.com/2012/03/fixing-postie-plugin-for-wordpress-to.html

    Sorry that regular expression is missing an angled bracket for the META part.

    if(preg_match("@((%3C|<)/?script|<meta|document\.|\.cookie|\.createElement|onload\s*=|(eval|base64)\()@is",$email))
          echo "possible XSS attack - ignoring email\n";
          continue;
    }

    I have put an article up about it > http://blog.strictly-software.com/2012/10/fixing-postie-wordpress-plugin-for-xss.html

    By the way as someone spotted on my blog there is a missing } on the first line so it should be this

    if(preg_match("@((%3C|<)/?script|<meta|document\.|\.cookie|\.createElement|onload\s*=|(eval|base64)\()@is",$email)){
    	echo "possible XSS attack - ignoring email\n";
    	continue;
    }

    Strictly Software,

    I removed 1.4.4 and reinstalled 1.4.3. But nothing work. 1.4.3 is posting with blank content. 1.4.3 used to work with older WordPress version, but not any longer with current.

    I’ve had a bad experience with 1.4.4 and I’m afraid to upgrade again.

    My question– should I give it a try and upgrade 1.4.4 one more time? or do you have suggestion how I can fix 1.4.3?

    I still have emails sitting in our Inbox that I want to post on our WordPress.

    FYI — I’m no programmer (well, I used to major programming using mainframe — so this is programming).

    Have you tried the fix I provided.

    Plugin Author Wayne Allen

    @wayneallen-1

    1.4.5 includes fixes to the false XSS detection.

    Strictly Software

    @strictly-software

    Do you mean it includes a different fix to the fix that was previously there and didn’t work?
    Does it handle headers in the email and other false positives as the regular expression I provided tries to do?

    Thanks

    Plugin Author Wayne Allen

    @wayneallen-1

    It is using your regex.

    DaveofDC

    @daveofdc

    Wow, glad we have new maintainer, I’m looking forward to give this a try (don’t know why I didn’t get any notice of upgrade plugin). Just been reading all support questions — I’ll wait a day or two before downloading in case a quick fix to 1.4.5.

    One question — will this plugin remove header and footer our organization sent out email blast? I tried using the :start and :end — but it never work. I may not understand what I’m suppose to do.

    In past, I have to open each post and remove both header and footer. I just want to keep the subject and content of email.

    Thanks and am looking forward working with you (and all others). This is long overdue and will provide you feedback and/or suggestions for future enhancements if you like.

    Dave

    Plugin Author Wayne Allen

    @wayneallen-1

    It would be great if you could send a sample email to postie-test@devzing.com so I could better see what is happening.

    DaveofDC

    @daveofdc

    Wayne I sent you two emails over the weekend.

    Plugin Author Wayne Allen

    @wayneallen-1

    Thanks, I did get them. By chance does the same problem happen if you forward a copy to your install vs. receiving the original unforwarded email?

    DaveofDC

    @daveofdc

    It worked — however, our group did an email blast this morning and it didn’t show up for me to post.

    I do not know if the problem is coming our email provider or not.

    Plugin Author Wayne Allen

    @wayneallen-1

    Is it possible to get postie-test@devzing.com added to the distribution list. I’ve love to see them as received.

    Also I’ve noticed that at least for gmail I can choose to not delete emails and Postie will not reprocess them. Might be worth a quick test on your mail server. That way you can be certain what arrived.

    I am planning to add a bunch more logging to Postie so you can see what is happening when things go wrong.

    Wayne

Viewing 15 replies - 1 through 15 (of 20 total)
  • The topic ‘[Resolved] [Plugin: Postie] Deletes Email but doesn't post’ is closed to new replies.
Skip to toolbar