Commit Graph

811 Commits (87277df91ba0e43023a7d80fe7207d9f4cf62faa)

Author SHA1 Message Date
ssssdl e6533e9993
Update Dockerfile (#2095)
Updates the Go version used by the Dockerfile
2021-01-24 13:44:10 -06:00
dependabot[bot] 9f5368aa13
Bump ini from 1.3.5 to 1.3.7 (#2067)
Bumps [ini](https://github.com/isaacs/ini) from 1.3.5 to 1.3.7.
- [Release notes](https://github.com/isaacs/ini/releases)
- [Commits](https://github.com/isaacs/ini/compare/v1.3.5...v1.3.7)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2020-12-11 07:24:28 -06:00
Glenn Wilkinson ced5261678
Added functionality to lock accounts (+bug fix) (#2060)
* Added functionality to lock accounts

* Fixed typo and added test case for locked account
2020-12-07 08:56:05 -06:00
Jordan Wright 8b8e88b077 Adjusting how we handle IP address parsing to more gracefully handle X-Forwarded-For headers. Ref #1999 2020-10-14 20:35:32 -05:00
Jordan Wright 120e232cfe Removing accidental dependencies to revert to 3c490dbadb 2020-10-11 17:49:37 -05:00
Jordan Wright 23154126de Made error handling in the case of a client IP without a port more graceful, so that the ratelimiter doesn't return an error if X-Forwarded-For or X-Real-IP is set. 2020-10-11 17:18:33 -05:00
Jordan Wright af3122f93b Adds support for X-Forwarded-For and X-Real-IP headers so that the correct IP address shows up in the logs.
Fixes #1999
2020-10-11 13:59:42 -05:00
Jordan Wright 3c490dbadb Updated JS from #1976 2020-09-30 22:00:15 -05:00
Glenn Wilkinson b53cff0c98
Added functionality to display last user login (#1967)
Added functionality to display last login time for each user in the User Management page.
2020-09-30 21:06:08 -05:00
Jordan Wright c1d3c7cd75 Modified frontend reporting logic to be more flexible with campaigns that include a path in their URL.
Fixes #1985
2020-09-23 21:15:19 -05:00
Glenn Wilkinson 0b2ab68f8d
Modified regex to detect Microsoft ATP URLs (#1976) 2020-09-23 20:40:21 -05:00
Jordan Wright 22c7b9be14 Bumped version to 0.11.0 2020-08-28 13:20:54 -05:00
Jordan Wright b01bd6cbc0 Updated github.com/jordan-wright/email dependency 2020-08-24 13:15:16 -05:00
Jordan Wright 6df62e85fd Added a simple Content-Security-Policy to mitigate clickjacking attempts. 2020-08-20 10:39:23 -05:00
Jordan Wright e3352f481e
Implement SSRF Mitigations (#1940)
Initial commit of SSRF mitigations.

This fixes #1908 by creating a *net.Dialer which restricts outbound connections to only allowed IP ranges. This implementation is based on the blog post at https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang

To keep things backwards compatible, by default we'll only block connections to 169.254.169.254, the link-local IP address commonly used in cloud environments to retrieve metadata about the running instance. For other internal addresses (e.g. localhost or RFC 1918 addresses), it's assumed that those are available to Gophish.

To support more secure environments, we introduce the `allowed_internal_hosts` configuration option where an admin can set one or more IP ranges in CIDR format. If addresses are specified here, then all internal connections will be blocked except to these hosts.

There are various bits about this approach I don't really like. For example, since various packages all need this functionality, I had to make the RestrictedDialer a global singleton rather than a dependency off of, say, the admin server. Additionally, since webhooks are implemented via a singleton, I had to introduce a new function, `SetTransport`.

Finally, I had to make an update in the gomail package to support a custom net.Dialer.
2020-08-20 09:36:18 -05:00
Jordan Wright 27d13a0584 Gofmt'ing so that tests pass 2020-08-15 10:31:49 -05:00
Jordan Wright 735880c398 Creating minified JS file from chnages in #1909 2020-08-08 15:04:59 -05:00
Glenn Wilkinson 0558da90fe
Added support to allow invalid IMAP certificates (#1909)
This commit allows self-signed certificates to be used in upstream IMAP connections.
2020-08-08 15:03:42 -05:00
Jordan Wright 90fed5a575 Added escaping for error message in sending profile hostname 2020-08-06 22:21:41 -05:00
dependabot[bot] 81aa65ba62
Bump elliptic from 6.4.1 to 6.5.3 (#1919)
Bumps [elliptic](https://github.com/indutny/elliptic) from 6.4.1 to 6.5.3.
- [Release notes](https://github.com/indutny/elliptic/releases)
- [Commits](https://github.com/indutny/elliptic/compare/v6.4.1...v6.5.3)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2020-08-02 21:08:49 -05:00
Andrew da18b9db94
Update credentials in Readme. (#1914)
The credentials were listed as admin/gophish, but this changed in v0.10.1, as per: https://docs.getgophish.com/user-guide/getting-started
2020-07-28 20:35:40 -05:00
Jordan Wright b684fb4ebd Fixing issue where campaigns aren't showing up in the archived tab if they have been marked as completed.
Fixes #1892
2020-07-25 14:47:37 -05:00
Jordan Wright 65f06c138f
Create SECURITY.md
Add a very high-level SECURITY.md
2020-07-24 23:14:29 -05:00
Jordan Wright 19ef924d89 Properly escaping server output when a request is made to ping a malicious webhook URL.
Fixes #1901
2020-07-24 23:04:55 -05:00
Jordan Wright b25f5ac5e4 Updated PapaParse config to prevent CSV injection.
I've updated the PapaParse JS library to the latest version from the master branch which supports the `escapeForumlae` option in order to prevent malicious event entries from being parsed and executed by the Gophish user's spreadsheet software.

When a new PapaParse release is created, I'll update this code to use the updated minified file.
2020-07-24 22:44:24 -05:00
Jordan Wright 4e9b94b641 Fixed validation when setting IMAP hostname 2020-07-17 22:40:10 -05:00
Jordan Wright cf7d058f1d Fixed config test to match new default logger 2020-07-17 22:23:44 -05:00
Jordan Wright 1c5ad85de1 Added handling for default logger if one is not specified. Fixes #1899 2020-07-17 22:14:04 -05:00
dependabot[bot] f2042de3bc
Bump lodash from 4.17.15 to 4.17.19 (#1898)
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.15 to 4.17.19.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.15...4.17.19)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2020-07-17 22:09:17 -05:00
Stuart Small afa00e2a9c
Add ability to provide initial API key on service standup (#1883) 2020-07-01 22:06:31 -05:00
Jordan Wright bf76f86ea4 Adds environment variable to set the initial admin password
This change adds a `GOPHISH_INITIAL_ADMIN_PASSWORD` environment variable so that system administrators can set the initial admin password rather than having it randomly generated. This is especially useful in automated deployment scenarios, or scenarios using Docker (ref #1876, #1874)
2020-06-25 08:31:28 -05:00
Jordan Wright bb7de8df3e
Initial Implementation of a Password Policy (#1867)
This PR adds the initial work to implement a password policy as defined in #1538.

Specifically, this implements the following

* Rate limiting for the login handler
* Implementing the ability for system admins to require a user to reset their password
* Implementing a password policy that requires passwords to be a minimum of 8 characters
* Removes the default password (gophish) for admin users to instead have the password randomly generated when Gophish first starts up
* Adds a password strength meter when choosing a new password

Fixes #1538
2020-06-19 22:03:51 -05:00
Jordan Wright 0f6439de5a gofmt'ing the IMAP changes 2020-06-16 20:13:24 -05:00
Jordan Wright 61bbb22f7c Updating the modules used for IMAP and email support
$ go get -u github.com/jordan-wright/email
$ go build
$ go mod tidy
2020-06-16 20:10:12 -05:00
Glenn Wilkinson 6f95da00ba
IMAP update; new library and attachment support (#1791)
Updates the IMAP processing to use a more mature library. This allows for more robust IMAP support.

Additionally, this adds support for reporting emails as attachments.
2020-06-16 20:02:09 -05:00
Jordan Wright 8ebdb43469 Documentation and code cleanup for webhooks 2020-06-13 13:44:20 -05:00
Jordan Wright ec8b17238e General code cleanup as part of an effort to integrate staticcheck into our CI pipeline. 2020-05-25 21:46:36 -05:00
Jordan Wright 0961e22126 Removed unneeded print statement 2020-05-25 20:55:00 -05:00
Jordan Wright 782f80fa12 Bumped version to 0.10.1 2020-05-24 22:26:48 -05:00
Jordan Wright b57210f6e7 Rebuilt JS files from #1812 2020-05-24 22:24:57 -05:00
Jordan Wright 520b0b8d87 Initial commit of automatic releases via GitHub Actions. 2020-05-24 21:53:38 -05:00
Jordan Wright ba38bfdbdd Bumped version to 0.10.0 2020-05-24 21:49:40 -05:00
Jordan Wright b29544c208 Rebuilding JS files from #1838 2020-05-23 12:56:18 -05:00
Prasoon Dwivedi 353639e168
Use GroupsSummary to create and copy campaign (#1838)
The Groups (get all groups and associated targets) call is used while
loading the modal for creating and copying a campaign. As the Groups API gets
all the associated targets for a groups as well, it slows the system
considerably if there are large number of groups and targets (~200
groups each with ~100-10000 targets).
As targets are not really needed in this workflow, this call can be
replaced by the GroupsSummary call.
2020-05-23 12:51:43 -05:00
Jordan Wright 726e3c96ac Rebuilding JS files from #1830 2020-05-08 21:02:05 -05:00
Prasoon Dwivedi 40b77840f5
Add favicon (#1831)
Added favicon image and corrected the path to the favicon
2020-05-08 21:00:22 -05:00
Prasoon Dwivedi 116c2a7e7e
Load datatable rows all at once (#1830)
This change modifies how we populate DataTables to draw the table only once vs. drawing it when we add each new row. This should result in tables loading quicker.
2020-05-03 22:03:58 -05:00
Glenn Wilkinson 38a6a77c9c
Added ability to allow admin to 'su' to other accounts (#1812)
* Added ability to allow admin to 'su' to other accounts

* Naming convention and user message modifications

* Removed debug statement
2020-04-27 18:19:20 -05:00
Prasoon Dwivedi 26e82cb2e3
Add capability to run the binary in a mode (#1817)
These commit includes changes to start the server as one of admin (also
IMAP) or phish server. Before this change the servers used to run in
monolith this change will decouple the two core component i.e. admin
and phish server so that they can be run independently.

This will help where admin and phish server are required to run
saperately e.g. phish server runs in a DMZ.

The available modes are `admin`, `phish` and `all`. Running the binary
in the `admin` mode will start the admin and IMAP server, while running
the binary in the `phish` mode will start the phish server. `all` mode,
which is also the default mode will start admin, IMAP and phish servers.
e.g. `go run gophish.go --mode admin`
2020-04-26 22:51:39 -05:00
Jordan Wright a0e8c4a369 Added optional csrf_key to config to better support H/A configurations. Fixes #1816. Fixes #1820. 2020-04-23 23:16:44 -05:00