Fixing XSS Vulnerabilities

This pull request fixed XSS vulnerabilities identified in the gophish admin panel. **Important: These vulnerabilities could only be exploited if someone had access to the admin panel already, and could only exploit the vulnerability against the same account.**
ludovic690108733 · Sep 15, 2016 · bfb7fd1 · bfb7fd1
1 parent b7a2af3
commit bfb7fd1
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 12 deletions.
diff --git a/auth/auth.go b/auth/auth.go
@@ -21,6 +21,8 @@ func init() {
 	gob.Register(&models.User{})
 	gob.Register(&models.Flash{})
 	Store.Options.HttpOnly = true
+	// This sets the maxAge to 5 days for all cookies
+	Store.MaxAge(86400 * 5)
 }
 
 // Store contains the session information for the request

diff --git a/gophish.go b/gophish.go
@@ -33,6 +33,7 @@ import (
 	"sync"
 
 	"github.com/NYTimes/gziphandler"
+	"github.com/gophish/gophish/auth"
 	"github.com/gophish/gophish/config"
 	"github.com/gophish/gophish/controllers"
 	"github.com/gophish/gophish/models"
@@ -53,6 +54,7 @@ func main() {
 	go func() {
 		defer wg.Done()
 		adminHandler := gziphandler.GzipHandler(controllers.CreateAdminRouter())
+		auth.Store.Options.Secure = config.Conf.AdminConf.UseTLS
 		if config.Conf.AdminConf.UseTLS { // use TLS for Admin web server if available
 			Logger.Printf("Starting admin server at https://%s\n", config.Conf.AdminConf.ListenURL)
 			Logger.Fatal(http.ListenAndServeTLS(config.Conf.AdminConf.ListenURL, config.Conf.AdminConf.CertPath, config.Conf.AdminConf.KeyPath,

diff --git a/static/js/app/campaigns.js b/static/js/app/campaigns.js
@@ -29,7 +29,7 @@ function launch() {
                 groups = []
                 $.each($("#groupTable").DataTable().rows().data(), function(i, group) {
                     groups.push({
-                        name: group[0]
+                        name: unescapeHtml(group[0])
                     })
                 })
                 campaign = {
@@ -311,13 +311,13 @@ $(document).ready(function() {
                 $.each(campaigns, function(i, campaign) {
                     label = labels[campaign.status] || "label-default";
                     campaignTable.row.add([
-                        campaign.name,
+                        escapeHtml(campaign.name),
                         moment(campaign.created_date).format('MMMM Do YYYY, h:mm:ss a'),
                         "<span class=\"label " + label + "\">" + campaign.status + "</span>",
                         "<div class='pull-right'><a class='btn btn-primary' href='/campaigns/" + campaign.id + "' data-toggle='tooltip' data-placement='left' title='View Results'>\
                     <i class='fa fa-bar-chart'></i>\
                     </a>\
-		    <span data-toggle='modal' data-target='#modal'><button class='btn btn-primary' data-toggle='tooltip' data-placement='left' title='Copy Campaign' onclick='copy(" + i + ")'>\
+            <span data-toggle='modal' data-target='#modal'><button class='btn btn-primary' data-toggle='tooltip' data-placement='left' title='Copy Campaign' onclick='copy(" + i + ")'>\
                     <i class='fa fa-copy'></i>\
                     </button></span>\
                     <button class='btn btn-danger' onclick='deleteCampaign(" + i + ")' data-toggle='tooltip' data-placement='left' title='Delete Campaign'>\
@@ -337,7 +337,7 @@ $(document).ready(function() {
     $("#groupForm").submit(function() {
         // Add row to group table.
         var newRow = groupTable.row.add([
-            $("#groupSelect").val(),
+            escapeHtml($("#groupSelect").val()),
             '<span style="cursor:pointer;"><i class="fa fa-trash-o"></i></span>'
         ]).draw().node();
 
@@ -379,7 +379,7 @@ $(document).ready(function() {
                     return '<div class="tt-suggestion">No groups matched that query</div>'
                 },
                 suggestion: function(data) {
-                    return '<div>' + data.name + '</div>'
+                    return '<div>' + escapeHtml(data.name) + '</div>'
                 }
             }
         })
@@ -412,7 +412,7 @@ $(document).ready(function() {
                     return '<div class="tt-suggestion">No templates matched that query</div>'
                 },
                 suggestion: function(data) {
-                    return '<div>' + data.name + '</div>'
+                    return '<div>' + escapeHtml(data.name) + '</div>'
                 }
             }
         })
@@ -443,7 +443,7 @@ $(document).ready(function() {
                     return '<div class="tt-suggestion">No pages matched that query</div>'
                 },
                 suggestion: function(data) {
-                    return '<div>' + data.name + '</div>'
+                    return '<div>' + escapeHtml(data.name) + '</div>'
                 }
             }
         })
@@ -474,7 +474,7 @@ $(document).ready(function() {
                     return '<div class="tt-suggestion">No profiles matched that query</div>'
                 },
                 suggestion: function(data) {
-                    return '<div>' + data.name + '</div>'
+                    return '<div>' + escapeHtml(data.name) + '</div>'
                 }
             }
         })
@@ -484,4 +484,4 @@ $(document).ready(function() {
         .bind('typeahead:autocomplete', function(ev, profile) {
             $("#profile").typeahead('val', profile.name)
         });
-})
+})
diff --git a/static/js/app/dashboard.js b/static/js/app/dashboard.js
@@ -61,7 +61,7 @@ $(document).ready(function() {
                     var label = labels[campaign.status] || "label-default";
                     // Add it to the table
                     campaignTable.row.add([
-                            campaign.name,
+                            escapeHtml(campaign.name),
                             campaign_date,
                             "<span class=\"label " + label + "\">" + campaign.status + "</span>",
                             "<div class='pull-right'><a class='btn btn-primary' href='/campaigns/" + campaign.id + "' data-toggle='tooltip' data-placement='right' title='View Results'>\

diff --git a/static/js/app/landing_pages.js b/static/js/app/landing_pages.js
@@ -131,7 +131,7 @@ function load() {
                 pagesTable.clear()
                 $.each(pages, function(i, page) {
                     pagesTable.row.add([
-                        page.name,
+                        escapeHtml(page.name),
                         moment(page.modified_date).format('MMMM Do YYYY, h:mm:ss a'),
                         "<div class='pull-right'><span data-toggle='modal' data-target='#modal'><button class='btn btn-primary' data-toggle='tooltip' data-placement='left' title='Edit Page' onclick='edit(" + i + ")'>\
                     <i class='fa fa-pencil'></i>\

diff --git a/static/js/app/sending_profiles.js b/static/js/app/sending_profiles.js
@@ -142,7 +142,7 @@ function load() {
                 profileTable.clear()
                 $.each(profiles, function(i, profile) {
                     profileTable.row.add([
-                        profile.name,
+                        escapeHtml(profile.name),
                         profile.interface_type,
                         moment(profile.modified_date).format('MMMM Do YYYY, h:mm:ss a'),
                         "<div class='pull-right'><span data-toggle='modal' data-target='#modal'><button class='btn btn-primary' data-toggle='tooltip' data-placement='left' title='Edit Profile' onclick='edit(" + i + ")'>\