Commit Graph

37 Commits (9f778651c685748bf7bb5743cf35f4bc48788830)

Author SHA1 Message Date
Jordan Wright e3352f481e
Implement SSRF Mitigations (#1940)
Initial commit of SSRF mitigations.

This fixes #1908 by creating a *net.Dialer which restricts outbound connections to only allowed IP ranges. This implementation is based on the blog post at https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang

To keep things backwards compatible, by default we'll only block connections to 169.254.169.254, the link-local IP address commonly used in cloud environments to retrieve metadata about the running instance. For other internal addresses (e.g. localhost or RFC 1918 addresses), it's assumed that those are available to Gophish.

To support more secure environments, we introduce the `allowed_internal_hosts` configuration option where an admin can set one or more IP ranges in CIDR format. If addresses are specified here, then all internal connections will be blocked except to these hosts.

There are various bits about this approach I don't really like. For example, since various packages all need this functionality, I had to make the RestrictedDialer a global singleton rather than a dependency off of, say, the admin server. Additionally, since webhooks are implemented via a singleton, I had to introduce a new function, `SetTransport`.

Finally, I had to make an update in the gomail package to support a custom net.Dialer.
2020-08-20 09:36:18 -05:00
Prasoon Dwivedi 26e82cb2e3
Add capability to run the binary in a mode (#1817)
These commit includes changes to start the server as one of admin (also
IMAP) or phish server. Before this change the servers used to run in
monolith this change will decouple the two core component i.e. admin
and phish server so that they can be run independently.

This will help where admin and phish server are required to run
saperately e.g. phish server runs in a DMZ.

The available modes are `admin`, `phish` and `all`. Running the binary
in the `admin` mode will start the admin and IMAP server, while running
the binary in the `phish` mode will start the phish server. `all` mode,
which is also the default mode will start admin, IMAP and phish servers.
e.g. `go run gophish.go --mode admin`
2020-04-26 22:51:39 -05:00
Glenn Wilkinson 9de32746ee Added IMAP support for checking reported emails (#1612)
Initial support of managing reporting through IMAP.

Co-Authored-By: Jordan Wright <jmwright798@gmail.com>
2020-01-18 11:58:34 -06:00
Jordan Wright caede2e40b
Refactoring Logging (#1722)
* Added ParseLevel to set log level (#1671)
* Moved logger config into the logger package for better decoupling. Added logging tests.

Co-authored-by: Amal Alkhamees <Amalkh5@users.noreply.github.com>
2020-01-16 22:21:58 -06:00
Jordan Wright 84096b8724
Implement User Management API (#1473)
This implements the first pass for a user management API allowing users with the `ModifySystem` permission to create, modify, and delete users. In addition to this, any user is able to use the API to view or modify their own account information.
2019-05-31 13:58:18 -05:00
Jordan Wright 47f0049c30
Refactor servers (#1321)
* Refactoring servers to support custom workers and graceful shutdown.
* Refactoring workers to support custom mailers.
* Refactoring mailer to be an interface, with proper instances instead of a single global instance
* Cleaning up a few things. Locking maillogs for campaigns set to launch immediately to prevent a race condition.
* Cleaning up API middleware to be simpler
* Moving template parameters to separate struct
* Changed LoadConfig to return config object
* Cleaned up some error handling, removing uninitialized global error in models package
* Changed static file serving to use the unindexed package
2018-12-15 15:42:32 -06:00
Jordan Wright bef52d36f1 Adding ability to log to file as well as stderr. Fixes #441. Fixes #1209. 2018-10-06 15:47:31 -05:00
Jordan Wright a04f6d031b Cleaned up dashboard page when no campaigns have been launched 2018-05-26 21:37:22 -05:00
Jordan Wright 5d23263898
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-03 19:07:41 -05:00
Jordan Wright 1426376aa5
Added --disable-mailer flag to prevent starting the built-in mailer. Fixes #935 2018-02-22 22:26:59 -06:00
Jordan Wright 76ece15b71
Email refactoring (#878)
The initial pass at refactoring the way we send emails.
2017-12-09 15:42:07 -06:00
Jordan Wright ca1e52148b Adding VERSION file and bumping version to 0.4-dev. Fixes #742 2017-09-05 21:54:32 -05:00
Jordan Wright 772fe28c06 Added config.json CLI flag: --config 2017-06-09 00:14:03 -05:00
s vignesh 8bb13ad7ee Gzip Best Compression (#457)
Better gzip compression to save bandwidth.
2016-12-02 17:47:49 -06:00
Jordan Wright 0f5bf29972 Automatic Creation of SSL Certificates (#443)
Thanks @ss23!
2016-11-19 12:04:10 -06:00
s vignesh bfb7fd11e8 Fixing XSS Vulnerabilities
This pull request fixed XSS vulnerabilities identified in the gophish admin panel.

**Important: These vulnerabilities could only be exploited if someone had access to the admin panel already, and could only exploit the vulnerability against the same account.**
2016-09-15 00:52:58 -04:00
Jordan Wright d687872462 Added gzip support on admin/phishing routers. Fixes #2 2016-08-16 20:20:11 -05:00
William Woodson 44852546e0 Added UseTLS config option for both Admin and Phish servers 2016-01-17 10:45:13 -06:00
Jordan Wright 89e72dd78d Added error handling on startup of web servers. Fixes #70 2016-01-14 22:46:43 -06:00
William Woodson 3a0fa4f93f Update bcrypt dependency and code moved to gophish group 2016-01-10 11:04:03 -06:00
Jordan 86dca67a5a Finished implementing PUT /templates/:id
Now deleting events on campaign deletion
Added some minor UI fixes and changes
2014-07-23 21:04:38 -05:00
Jordan 0f603e6501 Added http handler for phishing endpoint - Will add content soon
Updated config.go to reflect the new changes
2014-06-29 16:44:16 -05:00
Jordan 9b216c5466 Major design change - more dashboard-ish.
Working on more angularjs + gophish abstraction. Gophish for backend, AngularJS for the frontend
Moved templates to partials for angular
Using FlatUI color scheme
2014-05-26 20:29:12 -05:00
Jordan cb9c405f46 Added better testing with gocheck
Fixed some typos leading to syntax errors
TODO: Finish up gorm integration into templates
2014-03-26 21:42:07 -05:00
Jordan 92af237258 Changed the init to Setup() for better control over DB creation 2014-03-24 22:38:59 -05:00
Jordan 584d7dbc23 Major refactoring - modularized models into separate files. Removed db package (moved to models)
I will be looking to migrate to gorm (instead of gorp) soon!
2014-03-24 22:31:33 -05:00
Jordan c59415a133 Adding some models - Incorporated use of `gorp` package to allow ORM'ish functionality 2014-01-30 15:08:14 -06:00
Jordan 6944854005 Added support for --setup flag to reset database 2014-01-12 22:39:40 -06:00
Jordan 2a62f62bc6 Cleaned API even more (everything is via HandlerFunc)
Sessions are now encrypted as well as signed.
2014-01-10 22:37:42 -06:00
Jordan 42d7c463df Moved Use() to controllers from middleware for cleaner usage (I'll consider moving it back if it doesn't logically make sense)
Renamed Base_Campaigns to Campaigns
2014-01-10 22:11:44 -06:00
Jordan 7eb90b27ad Moved DB to root folder
Created db package to handle DB connection/queries
Removed Setup.go (now handled in db package)
Setup context in middleware
2014-01-09 17:18:49 -06:00
Jordan d4dbf30499 Changed Setup() to only return an error - I will need to find a way to handle the database connection either globally, or per package as needed. Not sure yet. 2014-01-09 01:08:32 -06:00
Jordan 7f084760f9 Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture.
Added doc.go for each package
2014-01-09 00:42:05 -06:00
Jordan e6343292be Working on setting up Login functionality
Introduced working with SQLite DB - working on setting up database on first run
Added "dbpath" to config
2014-01-06 00:09:41 -06:00
Jordan Wright a64b0c10c9 Moved structs to models.go file
Changed config to have "host" string
Working on simple mailing library
Some basic template bug fixes (eventually I might move the side nav to a template)
2013-12-12 00:27:43 -06:00
Jordan Wright a3518032be Added config file integration, updated some styles 2013-12-06 17:39:40 -06:00
Jordan Wright 1d6e25a2d1 Initial commit - getting the ball rolling! 2013-12-02 22:56:55 -06:00