I am having the same problem it seems to be a regular expression that fixes XSS attacks which is on line 38 of postie_getmail.php
if (preg_match("/.*(script|onload|meta|base64).*/is", $email)) {
echo "possible XSS attack - ignoring email\n";
continue;
}
I tested this by echoing out the full email when running the “Check for mail manually” option in the config area and outputting the full email before the regex test.
As the email is base64 encoded (well mine is anyway) the full headers are shown at the top of the encoded email e.g
Return-Path:
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from smtp-relay-2.myrelay (smtp-relay-2.myrelay [111.11.3.197])
by domain-name.com (Postfix) with ESMTP id 8497724009C
for ; Mon, 22 Oct 2012 05:49:32 +0000 (UTC)
Received: from xxxxxxx (unknown [11.1.1.1])
by smtp-relay-2.myrelay (Postfix) with ESMTP id 9E3B495733
for ; Mon, 22 Oct 2012 06:45:30 +0100 (BST)
MIME-Version: 1.0
From: [email protected]
To: [email protected]
Date: 22 Oct 2012 06:46:28 +0100
Subject: Subject: [My Subject Category1] [My Subject Category2] Title of Email
October 2012
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
Message-Id: <[email protected]>
PHA+PHN0cm9uZz5ZZXN0ZXJkYXlzIG1lbWJlcnMgaGFkIGFjY2VzcyB0byA0NSB0aXBzIGFj
cm9zcyA4IGRpZmZlcmVudCBzeXN0ZW1zLjwvc3Ryb25nPjwvcD48cD5JZiB5b3UgaGFkIHBs
YWNlZCBhIEJldGZhaXIgbWluaW11bSBiZXQgb2YgJnBvdW5kOzIuMDAgb24gZWFjaCBiZXQg
PHN0cm9uZz5vbiBFVkVSWSBzeXN0ZW08L3N0cm9uZz4gKExheXMsIFBsYWNlIERvdWJsZXMs
IFdpbnMgZXRjKSB0aGF0IGhhZCBhbiBTUCBsZXNzIHRoYW4gMTkvMSBhdCB0aGUgdGltZSBJ
(I've just shown a bit of the message base64 encoded)
As you can see if you do a search for one of the strings he is searching for base64 as a word not in a script context e.g base64("PHA+PHN0cm9");
Therefore just doing a basic string search for these words
(script|onload|meta|base64)
Will mean you will find it in the header e.g
Content-Transfer-Encoding: base64
You will also fail over for XSS hacks that don’t exist if you mention the word script, onload or meta in your email which is highly possible.
Therefore the email will fail the test even though there is no XSS attack.
You can either remove the word from the regex (or the whole test) or to keep an XSS test that is more valid and uses a more complicated regular expression which I have done you can replace the code with the code below.
Not only does this mean that it won’t fail over when the words are mentioned in headers but it actually looks for the correct usage of the hack and not just the word appearing e.g instead of looking for “script” it will look for <script %3Cscript </script %3Cscript (URL encoded versions which are common XSS hacks)
I have also added some more known attack vectors such as eval( document. .createElement and .cookie but as you can see I have all prefixed or suffixed them with a bracket or dot which is how they would be used in JavaScript/PHP.
if(preg_match("@((%3C|<)/?script|meta|document\.|\.cookie|\.createElement|onload\s*=|(eval|base64)\()@is",$email))
This also tests for <script or <meta and onload= or onload = and base64( as its a function it must start with a bracket (.
This has solved the problem for me and kept in the XSS attack defence however if you are passing HTML emails containing Javascript to your site just beware that if you use any of these functions they might be flagged up.
I have tested each attack vector but let me know of any problems with the regular expression – it doesn’t need the .* before or after as that will just use up more memory as its looking for any character that may or may not be there (the longer the code – the more memory used)
Also if you are having issues with categories being supplied in the subject line and not appearing then read my article on fixing that >> https://blog.strictly-software.com/2012/03/fixing-postie-plugin-for-wordpress-to.html
