Browse Source

Fixing XSS Vulnerabilities

This pull request fixed XSS vulnerabilities identified in the gophish admin panel.

**Important: These vulnerabilities could only be exploited if someone had access to the admin panel already, and could only exploit the vulnerability against the same account.**
pull/382/head
s vignesh 4 years ago
committed by Jordan Wright
parent
commit
bfb7fd11e8
6 changed files with 16 additions and 12 deletions
  1. +2
    -0
      auth/auth.go
  2. +2
    -0
      gophish.go
  3. +9
    -9
      static/js/app/campaigns.js
  4. +1
    -1
      static/js/app/dashboard.js
  5. +1
    -1
      static/js/app/landing_pages.js
  6. +1
    -1
      static/js/app/sending_profiles.js

+ 2
- 0
auth/auth.go View File

@ -21,6 +21,8 @@ func init() {
gob.Register(&models.User{})
gob.Register(&models.Flash{})
Store.Options.HttpOnly = true
// This sets the maxAge to 5 days for all cookies
Store.MaxAge(86400 * 5)
}
// Store contains the session information for the request

+ 2
- 0
gophish.go View File

@ -33,6 +33,7 @@ import (
"sync"
"github.com/NYTimes/gziphandler"
"github.com/gophish/gophish/auth"
"github.com/gophish/gophish/config"
"github.com/gophish/gophish/controllers"
"github.com/gophish/gophish/models"
@ -53,6 +54,7 @@ func main() {
go func() {
defer wg.Done()
adminHandler := gziphandler.GzipHandler(controllers.CreateAdminRouter())
auth.Store.Options.Secure = config.Conf.AdminConf.UseTLS
if config.Conf.AdminConf.UseTLS { // use TLS for Admin web server if available
Logger.Printf("Starting admin server at https://%s\n", config.Conf.AdminConf.ListenURL)
Logger.Fatal(http.ListenAndServeTLS(config.Conf.AdminConf.ListenURL, config.Conf.AdminConf.CertPath, config.Conf.AdminConf.KeyPath,

+ 9
- 9
static/js/app/campaigns.js View File

@ -29,7 +29,7 @@ function launch() {
groups = []
$.each($("#groupTable").DataTable().rows().data(), function(i, group) {
groups.push({
name: group[0]
name: unescapeHtml(group[0])
})
})
campaign = {
@ -311,13 +311,13 @@ $(document).ready(function() {
$.each(campaigns, function(i, campaign) {
label = labels[campaign.status] || "label-default";
campaignTable.row.add([
campaign.name,
escapeHtml(campaign.name),
moment(campaign.created_date).format('MMMM Do YYYY, h:mm:ss a'),
"<span class=\"label " + label + "\">" + campaign.status + "</span>",
"<div class='pull-right'><a class='btn btn-primary' href='/campaigns/" + campaign.id + "' data-toggle='tooltip' data-placement='left' title='View Results'>\
<i class='fa fa-bar-chart'></i>\
</a>\
<span data-toggle='modal' data-target='#modal'><button class='btn btn-primary' data-toggle='tooltip' data-placement='left' title='Copy Campaign' onclick='copy(" + i + ")'>\
<span data-toggle='modal' data-target='#modal'><button class='btn btn-primary' data-toggle='tooltip' data-placement='left' title='Copy Campaign' onclick='copy(" + i + ")'>\
<i class='fa fa-copy'></i>\
</button></span>\
<button class='btn btn-danger' onclick='deleteCampaign(" + i + ")' data-toggle='tooltip' data-placement='left' title='Delete Campaign'>\
@ -337,7 +337,7 @@ $(document).ready(function() {
$("#groupForm").submit(function() {
// Add row to group table.
var newRow = groupTable.row.add([
$("#groupSelect").val(),
escapeHtml($("#groupSelect").val()),
'<span style="cursor:pointer;"><i class="fa fa-trash-o"></i></span>'
]).draw().node();
@ -379,7 +379,7 @@ $(document).ready(function() {
return '<div class="tt-suggestion">No groups matched that query</div>'
},
suggestion: function(data) {
return '<div>' + data.name + '</div>'
return '<div>' + escapeHtml(data.name) + '</div>'
}
}
})
@ -412,7 +412,7 @@ $(document).ready(function() {
return '<div class="tt-suggestion">No templates matched that query</div>'
},
suggestion: function(data) {
return '<div>' + data.name + '</div>'
return '<div>' + escapeHtml(data.name) + '</div>'
}
}
})
@ -443,7 +443,7 @@ $(document).ready(function() {
return '<div class="tt-suggestion">No pages matched that query</div>'
},
suggestion: function(data) {
return '<div>' + data.name + '</div>'
return '<div>' + escapeHtml(data.name) + '</div>'
}
}
})
@ -474,7 +474,7 @@ $(document).ready(function() {
return '<div class="tt-suggestion">No profiles matched that query</div>'
},
suggestion: function(data) {
return '<div>' + data.name + '</div>'
return '<div>' + escapeHtml(data.name) + '</div>'
}
}
})
@ -484,4 +484,4 @@ $(document).ready(function() {
.bind('typeahead:autocomplete', function(ev, profile) {
$("#profile").typeahead('val', profile.name)
});
})
})

+ 1
- 1
static/js/app/dashboard.js View File

@ -61,7 +61,7 @@ $(document).ready(function() {
var label = labels[campaign.status] || "label-default";
// Add it to the table
campaignTable.row.add([
campaign.name,
escapeHtml(campaign.name),
campaign_date,
"<span class=\"label " + label + "\">" + campaign.status + "</span>",
"<div class='pull-right'><a class='btn btn-primary' href='/campaigns/" + campaign.id + "' data-toggle='tooltip' data-placement='right' title='View Results'>\

+ 1
- 1
static/js/app/landing_pages.js View File

@ -131,7 +131,7 @@ function load() {
pagesTable.clear()
$.each(pages, function(i, page) {
pagesTable.row.add([
page.name,
escapeHtml(page.name),
moment(page.modified_date).format('MMMM Do YYYY, h:mm:ss a'),
"<div class='pull-right'><span data-toggle='modal' data-target='#modal'><button class='btn btn-primary' data-toggle='tooltip' data-placement='left' title='Edit Page' onclick='edit(" + i + ")'>\
<i class='fa fa-pencil'></i>\

+ 1
- 1
static/js/app/sending_profiles.js View File

@ -142,7 +142,7 @@ function load() {
profileTable.clear()
$.each(profiles, function(i, profile) {
profileTable.row.add([
profile.name,
escapeHtml(profile.name),
profile.interface_type,
moment(profile.modified_date).format('MMMM Do YYYY, h:mm:ss a'),
"<div class='pull-right'><span data-toggle='modal' data-target='#modal'><button class='btn btn-primary' data-toggle='tooltip' data-placement='left' title='Edit Profile' onclick='edit(" + i + ")'>\

Loading…
Cancel
Save