Saturday, August 18, 2012

WordPress Postie Plugin - blocking attachments


The WordPress Postie plugin is a great way to simplify posting to your blog. After installing and configuring the plugin, all you need to do is send an email and it will automatically post to the blog. Postie has many nice features.
The recently released v1.4.4 includes a fix to avoid XSS attacks. It appears that the fix is a little aggressive and blocks all base64 attachments. Many email client applications encode attachments (pdf, etc) as base64, and Postie v1.4.4 is now blocking base64 attachments.
Here is the fix:
- Open ./wp-content/plugins/postie/get_mail.php
- Go to line 36, you will see
// check for XSS attacks - we disallow any javascript, meta, onload, or base64
    if (preg_match("/.*(script|onload|meta|base64).*/is", $email)) {
      echo "possible XSS attack - ignoring email\n";
      continue;
    }
- On line 37, remove "|base64" so it looks like this:
// check for XSS attacks - we disallow any javascript, meta, onload, or base64
    if (preg_match("/.*(script|onload|meta).*/is", $email)) {
      echo "possible XSS attack - ignoring email\n";
      continue;
    }
- Save the file (make sure to upload the change if you are modifying the file on your local machine)
With that fix, the attachments come through as expected.

2 comments:

  1. Did what you recommended - nothing changed.

    Removed complete XXS attacks section - works fine.

    Too dangerous?

    Klaus

    ReplyDelete
  2. I completly removed the following:

    // check for XSS attacks - we disallow any javascript, meta, onload, or base64
    if (preg_match("/.*(script|onload|meta).*/is", $email)) {
    echo "possible XSS attack - ignoring email\n";
    continue;
    }

    ...and now I can send pictures to my blog :-)

    Can someone estimate the risk for XSS attacks to my blog?

    ReplyDelete