{"id":16695,"date":"2021-07-08T13:27:25","date_gmt":"2021-07-08T11:27:25","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2020-0048\/"},"modified":"2021-07-19T14:16:20","modified_gmt":"2021-07-19T12:16:20","slug":"usd-2020-0048","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2020-0048\/","title":{"rendered":"usd-2020-0048"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

usd-2020-0048 | Gophish v0.10.1<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2020-0048<\/span>
CVE Number<\/strong>: CVE-2020-24708<\/span>
Affected Product<\/strong>: Gophish<\/span>
Affected Version<\/strong>: v0.10.1<\/span>
Vulnerability Type<\/strong>: Stored Cross-Site Scripting<\/span>
Security Risk<\/strong>: Medium<\/span>
Vendor URL<\/strong>: https:\/\/getgophish.com\/<\/a><\/span>
Vendor Status<\/strong>: Fixed<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

Gophish is vulnerable to stored self-XSS. In v0.10.1 Gophish introduced an impersonation button, which allows normal users to exploit administrative users.<\/p>\n

The new sending profile form\u2019s \u201cHost\u201c input field is vulnerable to XSS. The payload executes when sending a test email. The XSS gets stored when saving the profile. A rogue user could exploit an admin by asking him to impersonate him and test his broken sending profile.<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

The rogue user injects an XSS payload into a new Sending Profile (\/sending_profiles). By saving the Sending Profile, also the injected XSS payload gets stored. The rogue user then requests assistance from an admin user to check out his \u201dbroken\u201d sending profile.<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200048-1-300x135-1.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd20200048-1-300x135\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

The admin user impersonates the user that he wants to assist<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200048-2.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd20200048-2\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

The admin user edits the user\u2019s Sending Profile<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200048-3.png\" title_text=\"usd20200048-3\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

The admin user sends a test email<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200048-4.png\" title_text=\"usd20200048-4\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

The XSS payload executes in the admin user\u2019s browser<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200048-5.png\" title_text=\"usd20200048-5\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

\n
\n

Fix<\/h3>\n

It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context. The majority of programming languages support standard procedures for encoding meta characters. For example, PHP has the built-in function htmlspecialchars().<\/span>
Additionally, all input should be validated on the server-side. Where possible, whitelist filters should be used. The more restrictive a filter can be specified, the better the protection it provides. Whitelisting is especially recommended if input values have a well defined format or a list of valid input values exists. Invalid values should not be sanitized and forwarded to the application. Instead, requests with invalid values should be rejected.<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n