usd-2020-0050 | Gophish v0.10.1
Advisory ID: usd-2020-0050
CVE Number: CVE-2020-24712
Affected Product: Gophish
Affected Version: v0.10.1
Vulnerability Type: non-persistent self Cross-Site Scripting
Security Risk: Low
Vendor URL: https://getgophish.com/
Vendor Status: Fixed
Description
The “IMAP Host“ input field is vulnerable to Self-XSS when combined with pressing the “Test Settings“ button. It was however not possible during the pentest to save an XSS payload with a “Reporting Settings“.
Proof of Concept (PoC)
Visit /settings and enter an XSS payload as „IMAP Host“
![usd20200050-1](https://herolab.usd.de/wp-content/uploads/sites/9/2021/07/usd20200050-1.png)
Press „Test Settings“ and observe that the JavaScript is executed
![usd20200050-2](https://herolab.usd.de/wp-content/uploads/sites/9/2021/07/usd20200050-2-1.png)
Fix
It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context. The majority of programming languages support standard procedures for encoding meta characters. For example, PHP has the built-in function htmlspecialchars().
Additionally, all input should be validated on the server-side. Where possible, whitelist filters should be used. The more restrictive a filter can be specified, the better the protection it provides. Whitelisting is especially recommended if input values have a well defined format or a list of valid input values exists. Invalid values should not be sanitized and forwarded to the application. Instead, requests with invalid values should be rejected.
Timeline
- 2020-06-18 First contact request via security@getgophish.com
- 2020-06-22 Vendor responds to initial contact
- 2020-07-18 Vendor fixes vulnerability https://github.com/gophish/gophish/commit/4e9b94b641755f359542b246cc0c555fa3bc6715
- 2020-09-29 Security advisory released
Credits
This security vulnerability was found by Marcus Nilsson of usd AG.