[Plugin: Postie] All Emails Being Treated As Possible XSS Attacks & Blocked

  • Resolved tempestamedia

    (@tempestamedia)


    12 years, 3 months ago

    Hi All,

    I just installed Postie on my new WordPress website. It was a standard installation, with no special customizations.

    I was able to successfully run a config. test. I then sent several emails from 4 different email accounts (on 2 different email systems) to my Postie email address.

    All of them have been flagged “memory at start of e-mail processing:31648640
    possible XSS attack – ignoring email”

    What’s going on here? All 4 of these email addresses were added as approved posters. All were configured to have all HTML and signatures removed.

    I then logged into the actual email account, being used for Postie. All emails were sitting there and open able, so I know it is not a mail host (origination or destination) issue.

    My guess is that the latest release of Postie is somehow accidentally triggering all these false alarms. The problem is that it is doing it for every email address. I even tried turning off the “Allow anyone to post” option (setting to yes). That still didn’t fix the issue.

    Does anyone have any suggestions on what to do here? I’m at a complete loss.

    Thanks!

    https://www.ads-software.com/extend/plugins/postie/

Viewing 13 replies - 31 through 43 (of 43 total)
  • Gethin Coles

    (@gcediblemediacomau)

    removed that xss code, and now get
    Invalid sender: ! Not adding email!
    A copy of the message has been forwarded to the administrator.
    Ignoring email – not authorized.
    memory at end of e-mail processing:29819520

    despite the sender being listed AND also the admin

    ho hum

    Thank you mathew.weaver; doing explicitly what you suggested worked for me.

    The new anti-xss code will also prevent messages with any of the following words within them from being processed:
    description
    subscription
    scripture
    metabolism
    metallic
    metadata
    as well as over 700 more.

    So forget about telling someone to “manage their subscription” or mention biblical scripture in a message you want Postie to publish to your website.

    I’m reverting to 1.4.3.

    @robfelty – if you want to implement this type of functionality, it *really* needs to have a front-end option for us to disable it.

    I just played around a bit. I’m using apple mail app, so that might have something to do with it.

    While I removed both “base64” and “meta” it started working for me.

    A security risk, but I’ve had any problems so far. And if I do, I’ll address it then.

    Thanks for the help of the community

    What users should understand is that this is only a security risk *if* none of the existing options to prevent unauthorized content are used. You should be using a unique email address for the target address, and a specific authorized sender email address, or allowed SMTP servers or any of the other methods to ensure validity of the content before posting. If you’re already doing that, then this “feature” will only introduce problems for legitimate messages – such as blacklisting common terms in the content or attachments.

    I pulled lines 36-40 (commented them out with “//”) and I was able to make posts again.

    I also ended up commenting out antiXSS check code, mainly because i trust my sender authorization settings. But reason why antiXSS check causes problem is that it checks for usage of “meta” and “base64”, both of which are frequently used for legit reasons. I hope plugin author finds some better way for handling antiXSS check.

    I’ve only installed postie today and although it’s showing emailed post titles ok, neither images nor text are being displayed.

    My geekiness has its limits – I can’t understand why emailing to WP is so hard when it was one of the few things Blogger did properly.

    I ended up deleting and reinstalling the previous version 1.4.3 and now all works just fine. Seeking input from @http://profiles.www.ads-software.com/robfelty/ to address the XSS errors issue that comes with the latest version.

    As a power user/blogger, trying to move stories from Google reader, via IFTTT to Postie and to my blog, I would be excited to hear that he’s decided to monetize his project with a pro level at a Buffer type price (Awesome is $10/mo).

    What say you Mr Felty?

    I commented out the code. It’s completely frivolous for me. All posts come in through a single-source email address tied to multiple broadcast only listservs (meaning I control the messaging at all levels). The risk of an XSS attack, at least for me, is essentially zero.

    Commenting out did restore functionality.

    Plugin Author Wayne Allen

    (@wayneallen-1)

    1.4.5 has fixed this XSS issue

    I just installed Postie for the first time and have been struggling with this issue. It is v1.4.5, so it is NOT fixed.

    Plugin Author Wayne Allen

    (@wayneallen-1)

    1.4.5 did fix some XSS issues, but clearly not all. 1.4.6 will be doing this differently.

Viewing 13 replies - 31 through 43 (of 43 total)
  • The topic ‘[Plugin: Postie] All Emails Being Treated As Possible XSS Attacks & Blocked’ is closed to new replies.