Fixing XSS Vulnerabilities

This pull request fixed XSS vulnerabilities identified in the gophish admin panel. **Important: These vulnerabilities could only be exploited if someone had access to the admin panel already, and could only exploit the vulnerability against the same account.**
2016-09-15 10:22:58 +05:30 · 2016-09-15 10:22:58 +05:30 · bfb7fd11e8
parent b7a2af338b
commit bfb7fd11e8
6 changed files with 16 additions and 12 deletions
--- a/auth/auth.go
+++ b/auth/auth.go
@ -21,6 +21,8 @@ func init() {
 	gob.Register(&models.User{})
 	gob.Register(&models.Flash{})
 	Store.Options.HttpOnly = true
 	// This sets the maxAge to 5 days for all cookies
 	Store.MaxAge(86400 * 5)
 }
 // Store contains the session information for the request
--- a/gophish.go
+++ b/gophish.go
@ -33,6 +33,7 @@ import (
 	"sync"
 	"github.com/NYTimes/gziphandler"
 	"github.com/gophish/gophish/auth"
 	"github.com/gophish/gophish/config"
 	"github.com/gophish/gophish/controllers"
 	"github.com/gophish/gophish/models"
@ -53,6 +54,7 @@ func main() {
 	go func() {
 		defer wg.Done()
 		adminHandler := gziphandler.GzipHandler(controllers.CreateAdminRouter())
 		auth.Store.Options.Secure = config.Conf.AdminConf.UseTLS
 		if config.Conf.AdminConf.UseTLS { // use TLS for Admin web server if available
 			Logger.Printf("Starting admin server at https://%s\n", config.Conf.AdminConf.ListenURL)
 			Logger.Fatal(http.ListenAndServeTLS(config.Conf.AdminConf.ListenURL, config.Conf.AdminConf.CertPath, config.Conf.AdminConf.KeyPath,
--- a/static/js/app/campaigns.js
+++ b/static/js/app/campaigns.js
@ -29,7 +29,7 @@ function launch() {
                groups = []
                $.each($("#groupTable").DataTable().rows().data(), function(i, group) {
                    groups.push({
-                        name: group[0]
+                        name: unescapeHtml(group[0])
                    })
                })
                campaign = {
@ -311,13 +311,13 @@ $(document).ready(function() {
                $.each(campaigns, function(i, campaign) {
                    label = labels[campaign.status] || "label-default";
                    campaignTable.row.add([
-                        campaign.name,
+                        escapeHtml(campaign.name),
                        moment(campaign.created_date).format('MMMM Do YYYY, h:mm:ss a'),
                        "<span class=\"label " + label + "\">" + campaign.status + "</span>",
                        "<div class='pull-right'><a class='btn btn-primary' href='/campaigns/" + campaign.id + "' data-toggle='tooltip' data-placement='left' title='View Results'>\
                    <i class='fa fa-bar-chart'></i>\
                    </a>\
-		    <span data-toggle='modal' data-target='#modal'><button class='btn btn-primary' data-toggle='tooltip' data-placement='left' title='Copy Campaign' onclick='copy(" + i + ")'>\
+            <span data-toggle='modal' data-target='#modal'><button class='btn btn-primary' data-toggle='tooltip' data-placement='left' title='Copy Campaign' onclick='copy(" + i + ")'>\
                    <i class='fa fa-copy'></i>\
                    </button></span>\
                    <button class='btn btn-danger' onclick='deleteCampaign(" + i + ")' data-toggle='tooltip' data-placement='left' title='Delete Campaign'>\
@ -337,7 +337,7 @@ $(document).ready(function() {
    $("#groupForm").submit(function() {
        // Add row to group table.
        var newRow = groupTable.row.add([
-            $("#groupSelect").val(),
+            escapeHtml($("#groupSelect").val()),
            '<span style="cursor:pointer;"><i class="fa fa-trash-o"></i></span>'
        ]).draw().node();
@ -379,7 +379,7 @@ $(document).ready(function() {
                    return '<div class="tt-suggestion">No groups matched that query</div>'
                },
                suggestion: function(data) {
-                    return '<div>' + data.name + '</div>'
+                    return '<div>' + escapeHtml(data.name) + '</div>'
                }
            }
        })
@ -412,7 +412,7 @@ $(document).ready(function() {
                    return '<div class="tt-suggestion">No templates matched that query</div>'
                },
                suggestion: function(data) {
-                    return '<div>' + data.name + '</div>'
+                    return '<div>' + escapeHtml(data.name) + '</div>'
                }
            }
        })
@ -443,7 +443,7 @@ $(document).ready(function() {
                    return '<div class="tt-suggestion">No pages matched that query</div>'
                },
                suggestion: function(data) {
-                    return '<div>' + data.name + '</div>'
+                    return '<div>' + escapeHtml(data.name) + '</div>'
                }
            }
        })
@ -474,7 +474,7 @@ $(document).ready(function() {
                    return '<div class="tt-suggestion">No profiles matched that query</div>'
                },
                suggestion: function(data) {
-                    return '<div>' + data.name + '</div>'
+                    return '<div>' + escapeHtml(data.name) + '</div>'
                }
            }
        })
@ -484,4 +484,4 @@ $(document).ready(function() {
        .bind('typeahead:autocomplete', function(ev, profile) {
            $("#profile").typeahead('val', profile.name)
        });
-})
+})
--- a/static/js/app/dashboard.js
+++ b/static/js/app/dashboard.js
@ -61,7 +61,7 @@ $(document).ready(function() {
                    var label = labels[campaign.status] || "label-default";
                    // Add it to the table
                    campaignTable.row.add([
-                            campaign.name,
+                            escapeHtml(campaign.name),
                            campaign_date,
                            "<span class=\"label " + label + "\">" + campaign.status + "</span>",
                            "<div class='pull-right'><a class='btn btn-primary' href='/campaigns/" + campaign.id + "' data-toggle='tooltip' data-placement='right' title='View Results'>\
--- a/static/js/app/landing_pages.js
+++ b/static/js/app/landing_pages.js
@ -131,7 +131,7 @@ function load() {
                pagesTable.clear()
                $.each(pages, function(i, page) {
                    pagesTable.row.add([
-                        page.name,
+                        escapeHtml(page.name),
                        moment(page.modified_date).format('MMMM Do YYYY, h:mm:ss a'),
                        "<div class='pull-right'><span data-toggle='modal' data-target='#modal'><button class='btn btn-primary' data-toggle='tooltip' data-placement='left' title='Edit Page' onclick='edit(" + i + ")'>\
                    <i class='fa fa-pencil'></i>\
--- a/static/js/app/sending_profiles.js
+++ b/static/js/app/sending_profiles.js
@ -142,7 +142,7 @@ function load() {
                profileTable.clear()
                $.each(profiles, function(i, profile) {
                    profileTable.row.add([
-                        profile.name,
+                        escapeHtml(profile.name),
                        profile.interface_type,
                        moment(profile.modified_date).format('MMMM Do YYYY, h:mm:ss a'),
                        "<div class='pull-right'><span data-toggle='modal' data-target='#modal'><button class='btn btn-primary' data-toggle='tooltip' data-placement='left' title='Edit Profile' onclick='edit(" + i + ")'>\