{"id":16707,"date":"2021-07-08T13:19:03","date_gmt":"2021-07-08T11:19:03","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2020-0054\/"},"modified":"2021-07-19T14:17:08","modified_gmt":"2021-07-19T12:17:08","slug":"usd-2020-0054","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2020-0054\/","title":{"rendered":"usd-2020-0054"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

usd-2020-0054 | Gophish v0.10.1<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2020-0054<\/span>
CVE Number<\/strong>: CVE-2020-24710<\/span>
Affected Product<\/strong>: Gophish<\/span>
Affected Version<\/strong>: v0.10.1<\/span>
Vulnerability Type<\/strong>: Stored Cross-Site Scripting<\/span>
Security Risk<\/strong>: Medium<\/span>
Vendor URL<\/strong>: https:\/\/getgophish.com\/<\/a><\/span>
Vendor Status<\/strong>: Fixed<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

Several occurrences of server-side request forgery were found during the pentest. These could be used to perform port scans of the server that hosts Gophish. In the majority of cases the error message resulting from querying the local server, with localhost or a loopback address, discloses the banner of the tested service. And in one case, where the banner was not visible, long response times indicated that the port was available. The screenshot below illustrates a successful port scan of the local host.<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

URL: \/webhooks<\/code>
Comment: It is possible for a remote user to scan the open ports of the server that hosts the gophish admin application. Furthermore, the error messages reveals parts of the available service\u2019s banners. For example SSH\u2019s \u201cDebian-9\u201c.<\/p>\n

URL: \/sending_profiles<\/code>
Comment: It is possible for a remote user to scan the open ports of the server that hosts the gophish admin application. Open ports are disclosed by long response times after pressing the \u201cSend\u201c button of the \u201cSend Test Email\u201c feature.<\/p>\n

URL: \/landing_pages<\/code>
Comment: It is possible for a remote user to scan the open ports of the server that hosts the gophish admin application. Furthermore, the error messages reveals parts of the available service\u2019s banners. For example SSH\u2019s \u201cDebian-9\u201c.<\/p>\n

URL: \/settings<\/code>
Comment: It is possible for a remote user to scan the open ports of the server that hosts the gophish admin application. Furthermore, the error messages reveals parts of the available service\u2019s banners. For example SSH\u2019s \u201cSSH-2.0-OpenSSH_7.9p1 Debian-9\u201c.<\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200054.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd20200054\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

\n
\n

Fix<\/h3>\n

A whitelist approach is not a valid solution when a user can make the application send requests to any external IP address or domain name. Despite knowing that the blacklist approach is not an impenetrable wall, it is the best solution in this scenario since it would inform the application to not send any requests to the server\u2019s loopback addresses or to private IP address ranges.<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n