Postman SMTP Mailer/Email Log is prone to a cross-site scripting vulnerability

Hi @umcms, thank you very much for your vulnerability report, I believe it has led to the removal of the plugin from the WordPress plugin directory, yesterday I think.

I am a heavy user of this plugin. I should be removing it from my sites right away but in my case it is not that easy as I am using DMARC so I need to buy some time until I find a good alternative. Would you be so kind as to share how you have edited the code to ensure that input is properly sanitised?

Here are the details of the vulnerability:

https://www.pluginvulnerabilities.com/2017/06/29/reflected-cross-site-scripting-xss-vulnerability-in-postman-smtp/

I believe the correct fix is to update line 346 of /postman-smtp/Postman/Postman-Email-Log/PostmanEmailLogController.php as follows:

value=”<?php echo htmlspecialchars($_REQUEST[‘page’]) ?>” />

htmlspecialchars() doesn’t escape anything.
I haven’t check the code but I would probably use wp_kses_post() instead.

value="<?php echo esc_url($_REQUEST['page']) ?>" />

I think this is a more proper solution here?

if $_REQUEST[‘page’] is meant to be a url, you’re right

Deleted

• This reply was modified 7 years, 1 month ago by steveb123.

@steveb123 I completely agree with you, this is provably the best plugin of its kind. I am not pretty sure what would be the best way to gain visibility over this issue among the community (of WP developers).

Yesterday I was able to contact @jasonhendriks (the developer). I sent him an InMail (direct message) on LinkedIn. He said he would take a look. I sent him the links to the original vulnerability report and to this thread. I hope he reacts quickly and solves the situation but it would be wise to try to find a back-up plan.

There are also other bugs that need to be fixed. I reported one myself –a high priority one– @jasonhendriks confirmed it but no action has been taken in months.

I will try to raise awareness of the issue tomorrow in Slack (wordpress.slack.com).

I really hope this plugin is fixed and added back to the repository. I have begun to install this on sites as a matter of course.

Same here !

Deleted

• This reply was modified 7 years, 1 month ago by steveb123.
• This reply was modified 7 years, 1 month ago by steveb123.

Deleted

• This reply was modified 7 years, 1 month ago by steveb123.

Wordfence posted this article yesterday regarding the plugin.
https://www.wordfence.com/blog/2017/10/postman-smtp-plugin-unpatched-vulnerability-removed-directory/

They encourage removal even though it seems their firewall should protect you against such an attack. If you have Wordfence make sure the firewall is enabled. If you don’t have it, install it!

It’s a minor issue and the chance an attacker can do something with this is small.

I have uploaded a fixed version here:
https://github.com/yehudah/Postman-SMTP

If anyone want to download or submit issues he is more then welcome.

Thanks for this!

@yehudah thank you so much, this one really looks like a proper fix.

I can see you have modified the following files:
? /Postman-Auth/PostmanGoogleAuthenticationManager.php
? /Postman-Auth/PostmanMicrosoftAuthenticationManager.php
? /Postman-Auth/PostmanYahooAuthenticationManager.php
? /Postman-Email-Log/PostmanEmailLogController.php
? /Postman-Email-Log/PostmanEmailLogService.php
? /PostmanAjaxController.php
? /PostmanUtils.php

…using FILTER_SANITIZE_STRING and intval.

It would be amazing if you could also fix this bug that could be causing so much trouble to so many people.

I really appreciate you sharing your fix.