Commit Graph

817 Commits (bca84de013976c29b7e1f6f4a3d73d60770c2784)

Author SHA1 Message Date
Jordan Wright 726e3c96ac Rebuilding JS files from #1830 2020-05-08 21:02:05 -05:00
Prasoon Dwivedi 40b77840f5
Add favicon (#1831)
Added favicon image and corrected the path to the favicon
2020-05-08 21:00:22 -05:00
Prasoon Dwivedi 116c2a7e7e
Load datatable rows all at once (#1830)
This change modifies how we populate DataTables to draw the table only once vs. drawing it when we add each new row. This should result in tables loading quicker.
2020-05-03 22:03:58 -05:00
Glenn Wilkinson 38a6a77c9c
Added ability to allow admin to 'su' to other accounts (#1812)
* Added ability to allow admin to 'su' to other accounts

* Naming convention and user message modifications

* Removed debug statement
2020-04-27 18:19:20 -05:00
Prasoon Dwivedi 26e82cb2e3
Add capability to run the binary in a mode (#1817)
These commit includes changes to start the server as one of admin (also
IMAP) or phish server. Before this change the servers used to run in
monolith this change will decouple the two core component i.e. admin
and phish server so that they can be run independently.

This will help where admin and phish server are required to run
saperately e.g. phish server runs in a DMZ.

The available modes are `admin`, `phish` and `all`. Running the binary
in the `admin` mode will start the admin and IMAP server, while running
the binary in the `phish` mode will start the phish server. `all` mode,
which is also the default mode will start admin, IMAP and phish servers.
e.g. `go run gophish.go --mode admin`
2020-04-26 22:51:39 -05:00
Jordan Wright a0e8c4a369 Added optional csrf_key to config to better support H/A configurations. Fixes #1816. Fixes #1820. 2020-04-23 23:16:44 -05:00
Jordan Wright 07b46d226a Updated the TLS configuration.
This commit removes support for the TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA and TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ciphers. It also removes support for CurveP384. This is to match up with recommendations given by Cloudflare [0], Mozilla (the "Intermediate" compatibility) [1], and referencing the default ciphers in Caddy [2].

[0] https://blog.cloudflare.com/exposing-go-on-the-internet/
[1] https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
[2] 008415f206/caddytls/config.go (L492)

Here is the diff of running testssl against the old and new configurations:

```
git diff --no-index -- old.txt new.txt
diff --git a/old.txt b/new.txt
index fc624a1..53d0c97 100644
--- a/old.txt
+++ b/new.txt
@@ -13,11 +13,11 @@ docker run --rm -ti -p 3333:3333 drwetter/testssl.sh https://host.docker.interna
 ###########################################################

  Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
- on 4831dc55e53f:$PWD/bin/openssl.Linux.x86_64
+ on 41ae723da66a:$PWD/bin/openssl.Linux.x86_64
  (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")

- Start 2020-03-28 02:54:41        -->> 192.168.65.2:3333 (host.docker.internal) <<--
+ Start 2020-03-28 03:15:21        -->> 192.168.65.2:3333 (host.docker.internal) <<--

  rDNS (192.168.65.2):    --
  Service detected:       HTTP
@@ -41,15 +41,14 @@ docker run --rm -ti -p 3333:3333 drwetter/testssl.sh https://host.docker.interna
  Export ciphers (w/o ADH+NULL)                 not offered (OK)
  LOW: 64 Bit + DES, RC[2,4] (w/o export)       not offered (OK)
  Triple DES Ciphers / IDEA                     not offered (OK)
- Obsolete: SEED + 128+256 Bit CBC cipher       offered
+ Obsolete: SEED + 128+256 Bit CBC cipher       not offered
  Strong encryption (AEAD ciphers)              offered (OK)

  Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4

- PFS is offered (OK)          TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256
-                              ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA
- Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519
+ PFS is offered (OK)          TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256
+ Elliptic curves offered:     prime256v1 X25519

  Testing server preferences
@@ -58,7 +57,7 @@ docker run --rm -ti -p 3333:3333 drwetter/testssl.sh https://host.docker.interna
  Negotiated protocol          TLSv1.3
  Negotiated cipher            TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
  Cipher order
-    TLSv1.2:   ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA
+    TLSv1.2:   ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256
     TLSv1.3:   TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_256_GCM_SHA384

@@ -125,7 +124,7 @@ docker run --rm -ti -p 3333:3333 drwetter/testssl.sh https://host.docker.interna
                                            no RSA certificate, thus certificate can't be used with SSLv2 elsewhere
  LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
  BEAST (CVE-2011-3389)                     no SSL3 or TLS1 (OK)
- LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
+ LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
  RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)

@@ -136,50 +135,48 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
  x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384
  x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
  xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 256   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 256   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 253   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256
  xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 256   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- xc009   ECDHE-ECDSA-AES128-SHA            ECDH 256   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

- LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
+ LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
  RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)

@@ -136,50 +135,48 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
  x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384
  x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
  xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 256   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 256   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 253   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256
  xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 256   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- xc009   ECDHE-ECDSA-AES128-SHA            ECDH 256   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  Running client simulations (HTTP) via sockets

- Android 4.4.2                TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
+ Android 4.4.2                TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
  Android 5.0.0                TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
  Android 6.0                  TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
- Android 7.0                  TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
- Android 8.1 (native)         TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
+ Android 7.0                  TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
+ Android 8.1 (native)         TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
  Android 9.0 (native)         TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
- Chrome 65 Win 7              TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
+ Chrome 65 Win 7              TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
  Chrome 74 (Win 10)           TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
- Firefox 62 Win 7             TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
+ Firefox 62 Win 7             TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
  Firefox 66 (Win 8.1/10)      TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
  IE 6 XP                      No connection
  IE 8 Win 7                   No connection
  IE 8 XP                      No connection
- IE 11 Win 7                  TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
- IE 11 Win 8.1                TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
- IE 11 Win Phone 8.1          TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
- IE 11 Win 10                 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
- Edge 15 Win 10               TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
- Edge 17 (Win 10)             TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
+ IE 11 Win 7                  TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
+ IE 11 Win 8.1                TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
+ IE 11 Win Phone 8.1          TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
+ IE 11 Win 10                 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
+ Edge 15 Win 10               TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
+ Edge 17 (Win 10)             TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
  Opera 60 (Win 10)            TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
- Safari 9 iOS 9               TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
- Safari 9 OS X 10.11          TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
- Safari 10 OS X 10.12         TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
+ Safari 9 iOS 9               TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
+ Safari 9 OS X 10.11          TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
+ Safari 10 OS X 10.12         TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
  Safari 12.1 (iOS 12.2)       TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
  Safari 13.0 (macOS 10.14.6)  TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
- Apple ATS 9 iOS 9            TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
+ Apple ATS 9 iOS 9            TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
  Java 6u45                    No connection
  Java 7u25                    No connection
- Java 8u161                   TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
+ Java 8u161                   TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
  Java 11.0.2 (OpenJDK)        TLSv1.3 TLS_AES_128_GCM_SHA256, 256 bit ECDH (P-256)
  Java 12.0.1 (OpenJDK)        TLSv1.3 TLS_AES_128_GCM_SHA256, 256 bit ECDH (P-256)
- OpenSSL 1.0.1l               TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
- OpenSSL 1.0.2e               TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
- OpenSSL 1.1.0j (Debian)      TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
+ OpenSSL 1.0.1l               TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
+ OpenSSL 1.0.2e               TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
+ OpenSSL 1.1.0j (Debian)      TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
  OpenSSL 1.1.1b (Debian)      TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
  Thunderbird (60.6)           TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)

- Done 2020-03-28 02:57:48 [ 189s] -->> 192.168.65.2:3333 (host.docker.internal) <<--
+ Done 2020-03-28 03:17:25 [ 128s] -->> 192.168.65.2:3333 (host.docker.internal) <<--
```

Fixes #1698
2020-03-27 22:25:18 -05:00
Jordan Wright 138b486b2f Caching the campaign for those that are launched immediately. This is related to #1726 2020-03-27 21:29:41 -05:00
Paul c5c1e6ff68
Updated the Ansible role (#1786) 2020-03-22 12:55:52 -05:00
Jordan Wright 118d9899d6 Updated minified scripts from #1772 2020-03-15 12:41:19 -05:00
Paul Werther c0be58aa3d
Add "mark as reported" to results table (#1772)
This commit adds the ability to mark a result as reported directly from the campaign results view.
2020-03-15 12:38:51 -05:00
dependabot[bot] 053b998b84
Bump acorn from 6.1.1 to 6.4.1 (#1785)
Bumps [acorn](https://github.com/acornjs/acorn) from 6.1.1 to 6.4.1.
- [Release notes](https://github.com/acornjs/acorn/releases)
- [Commits](https://github.com/acornjs/acorn/compare/6.1.1...6.4.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2020-03-15 12:33:49 -05:00
Jordan Wright 6251ea6a02
Fixing issues - get values from non objects (#1773)
After calls to get Template, Page, and SMTP, if the objects aren't found then we're currently trying to display error message using the name values of the non objects. This changes this behavior such that we use the name values from the campaign object to give better log messages.
2020-03-05 07:31:19 -06:00
Jordan Wright 2e3aacd22d
Remove Unused Variable (#1774)
The timeline_series_data variable is created twice before using it. This resolves that.
2020-03-05 07:28:17 -06:00
Jordan Wright 8162a80cb1
Improve the Performance of Sending Emails (#1753)
Adding the ability to cache campaigns on maillogs to greatly improve generation time (and, by extension, sending speed and memory usage).
2020-02-29 20:19:54 -06:00
Glenn Wilkinson 6e20f64322
Fixed text autocomplete dropping down in Chrome (#1749) 2020-02-11 21:48:48 -08:00
Jordan Wright 1733da1fa8 Creating go.mod and go.sum files to establish Gophish as a Go module. 2020-02-02 21:44:25 -06:00
Jordan Wright 26884a8f34 Updated README to include GitHub Actions badge and update LICENSE copyright date 2020-02-01 22:11:34 -06:00
Jordan Wright 4375e5f6a1
Create ci.yml (#1741)
This PR enabled GitHub Actions as a replacement to TravisCI. I'm a fan of removing external dependencies where possible, and GitHub Actions has matured to be really useful.
2020-02-01 21:59:24 -06:00
Jordan Wright be459e47bf
Refactoring tests to remove stretchr/testify dependency 2020-02-01 21:44:50 -06:00
cyberbutler e12258bf25
Updated Docker Hub link to point to gophish/gophish (#1732)
The Readme currently points to https://hub.docker.com/r/matteoggl/gophish/ which is a Docker image that hasn't been updated in over 2 years. This PR updates the Readme link to point to a more current Docker Image.
2020-02-01 21:36:42 -06:00
Jordan Wright 3d525525ea Added campaign ID to the webhook JSON payload 2020-01-30 07:09:04 -06:00
Jordan Wright 0620671de6 Adding benchmarks for maillog.Generate. Ref #1726 2020-01-25 22:09:43 -06:00
Jordan Wright 947bb4ccba Adjusting SMTP TLS config to use just the hostname instead of the hostname+port when validating certificates. Fixes #1709 2020-01-21 07:21:56 -06:00
Jordan Wright c553d7d925 Bumping version to 0.9.0 2020-01-18 13:04:12 -06:00
Jordan Wright ecb6d46914 Rebuilding minified JS to support #1722 2020-01-18 12:49:34 -06:00
Glenn Wilkinson 9de32746ee Added IMAP support for checking reported emails (#1612)
Initial support of managing reporting through IMAP.

Co-Authored-By: Jordan Wright <jmwright798@gmail.com>
2020-01-18 11:58:34 -06:00
Jordan Wright caede2e40b
Refactoring Logging (#1722)
* Added ParseLevel to set log level (#1671)
* Moved logger config into the logger package for better decoupling. Added logging tests.

Co-authored-by: Amal Alkhamees <Amalkh5@users.noreply.github.com>
2020-01-16 22:21:58 -06:00
Jordan Wright 546da4ee7d Removing unneeded query to improve group performance.
As mentioned in #1702, the query in `insertTargetIntoGroup` isn't needed, since both instances where it's used we already know that the target isn't in the group. This means it's safe to remove that query, improving performance dramatically.

Before:

```
BenchmarkPostGroup100-4     	      81	  12629754 ns/op	 2989993 B/op	   52918 allocs/op
BenchmarkPostGroup1000-4    	       6	 189527792 ns/op	29891818 B/op	  528082 allocs/op
BenchmarkPostGroup10000-4   	       1	6203645806 ns/op	299253648 B/op	 5282859 allocs/op
BenchmarkPutGroup100-4      	     100	  10221833 ns/op	 2589165 B/op	   46078 allocs/op
BenchmarkPutGroup1000-4     	       7	 162692432 ns/op	25812440 B/op	  458425 allocs/op
BenchmarkPutGroup10000-4    	       1	7596445084 ns/op	260385808 B/op	 4581569 allocs/op
```

After:

```
BenchmarkPostGroup100-4     	     133	   8848973 ns/op	 2354605 B/op	   42322 allocs/op
BenchmarkPostGroup1000-4    	       9	 112557410 ns/op	23549206 B/op	  422184 allocs/op
BenchmarkPostGroup10000-4   	       1	3414209403 ns/op	235635952 B/op	 4222090 allocs/op
BenchmarkPutGroup100-4      	     147	   8094333 ns/op	 2271297 B/op	   40777 allocs/op
BenchmarkPutGroup1000-4     	       9	 125092124 ns/op	22635067 B/op	  405421 allocs/op
BenchmarkPutGroup10000-4    	       1	5712591900 ns/op	228592920 B/op	 4051316 allocs/op
```
2020-01-16 20:41:13 -06:00
JoseW3b 91d798336f Get send_by_date (#1720)
Get send_by_date field when query on GetCampaignSummary and GetCampaignSummaries
2020-01-15 22:02:19 -06:00
Jordan Wright da4e468c1f Deleted unneeded .DS_Store file that was accidentally merged as part of #1642. 2020-01-14 23:19:33 -06:00
Chris Zietlow f570a611db Fix webhooks db migration. (#1697) 2019-12-18 17:57:13 -06:00
Jordan Wright 9d430c90ab Added gofmt requirement to CI 2019-12-15 22:13:19 -06:00
Jordan Wright 01287e0dd5 Minor cleanup on webhook feature integration
- Ran gofmt
- Rebuilt minified static files
- Updated validation payload
2019-12-15 22:07:55 -06:00
Alex Maslakov 28cd7a238e Add Webhook Support
Adds support for managing outgoing webhooks. Closes #1602
2019-12-15 20:27:21 -06:00
Jordan Wright 699532f256 Remove support for Go 1.9.
It appears that the MySQL driver dropped support for Go 1.9. Until we have vendoring in place (will happen soon!) we must follow suit and drop support for Go v1.9. This still allows us to support the latest three versions of Go.
2019-12-11 20:06:04 -06:00
Jordan Wright 79e680e675 Updates the tls.Config of the phishing and admin servers to support TLS 1.2 as the minimum TLS version. This addresses #1691 and #1689.
I am making this change since Microsoft, Google, and Apple have all chosen to deprecate TLS 1.0 and TLS 1.1 in early 2020. In late 2018, the companies recorded that less than 1.4 percent (max) of their connections used < TLS 1.2.

Output before change:

```
docker run --rm -ti -p 3333:3333 drwetter/testssl.sh https://host.docker.internal:3333

 Testing protocols via sockets except NPN+ALPN

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final
 NPN/SPDY   h2, http/1.1 (advertised)
 ALPN/HTTP2 h2, http/1.1 (offered)
```

Output after change:

```
docker run --rm -ti -p 3333:3333 drwetter/testssl.sh https://host.docker.internal:3333

 Testing protocols via sockets except NPN+ALPN

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final
 NPN/SPDY   h2, http/1.1 (advertised)
 ALPN/HTTP2 h2, http/1.1 (offered)
```
2019-12-11 19:52:41 -06:00
Jordan Wright 44f88401bb
Performance Improvements for Campaign and Group Creation (#1686)
This commit significantly improves the performance of campaign and group creation by changing database access to use transactions.

It should also make things more consistent with campaign creation. Specifically, this will ensure that the entire campaign gets created before emails start sending, while I anticipate this will fix #1643, #1080, (possibly) #1677, and #1552.
2019-12-02 23:00:11 -06:00
Jordan Wright c2f579a2c5 Updated the Dockerfile to allow the gophish binary to bind to privileged ports. Fixes #1660. 2019-11-23 21:28:32 -06:00
Michael Eder 1aab1a34ba 1624 - Return API Key on Password Change (#1663)
Updates the user model to return the user’s API key for easier administration.
2019-11-16 12:18:03 -06:00
dependabot[bot] e812ea0dfb Bump lodash from 4.17.11 to 4.17.15 (#1509)
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.11 to 4.17.15.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.11...4.17.15)

Signed-off-by: dependabot[bot] <support@github.com>
2019-11-12 20:06:35 -06:00
dependabot[bot] 38876339c0 Bump mixin-deep from 1.3.1 to 1.3.2 (#1654)
Bumps [mixin-deep](https://github.com/jonschlinkert/mixin-deep) from 1.3.1 to 1.3.2.
- [Release notes](https://github.com/jonschlinkert/mixin-deep/releases)
- [Commits](https://github.com/jonschlinkert/mixin-deep/compare/1.3.1...1.3.2)

Signed-off-by: dependabot[bot] <support@github.com>
2019-11-09 21:21:15 -06:00
SamSutt c5dc71662a Bugfix Issue 1570 (#1640)
Relating to the Issue (https://github.com/gophish/gophish/issues/1570), this could be an easy fix.
2019-10-29 08:21:54 -05:00
Glenn Wilkinson 28252bcb56 Will exit on port binding failure (#1635) 2019-10-28 21:38:59 -05:00
quelsan 3227437f52 Improved Dockerfile and run script (#1579)
The Dockerfile has also been rebuilt to use an unprivileged user instead
of root.

The run script adds more options and changes the method the
configuration is overwritten, which may help in situations where the
configuration is not owned by the unprivileged user.
2019-10-06 20:18:06 -07:00
Gábor Lipták c3e90183c8 Add Go 1.13 to Travis (#1610) 2019-10-04 16:30:48 -07:00
Jordan Wright 6222c5e180
Upgrade SweetAlert2 Dependency (#1583)
Upgrades the SweetAlert2 dependency to version 8.x.x.

Co-authored-by: Glenn Wilkinson <glenn.wilkinson@gmail.com>
2019-09-10 19:49:23 -05:00
David Maciejak 20295bd96a Remove the Top Navigation Menu
The top navigation menu is redundant to the sidebar. We’re opting to remove it so that we are free to update the sidebar to be more complex over time.
2019-08-29 07:36:04 -05:00
David Maciejak 24fe998a3a Fix multiple XSS issues in User Management Page (#1547)
If the user name is embedding some JS code, it will be executed on the client side. Note: gophish/static/js/dist/app/users.min.js will need to be regenerated too.
2019-08-23 21:07:15 -05:00
Jordan Wright f95e9554c7
Add CORS support for Reporting Handler (#1529)
* Added response headers for CORS and server identification (#1517)

Co-Authored-By: Glenn Wilkinson <glenn.wilkinson@gmail.com>
2019-08-03 20:55:25 -05:00