usd-2020-0054 | Gophish v0.10.1

Advisory ID: usd-2020-0054
CVE Number: CVE-2020-24710
Affected Product: Gophish
Affected Version: v0.10.1
Vulnerability Type: Stored Cross-Site Scripting
Security Risk: Medium
Vendor URL: https://getgophish.com/
Vendor Status: Fixed

Description

Several occurrences of server-side request forgery were found during the pentest. These could be used to perform port scans of the server that hosts Gophish. In the majority of cases the error message resulting from querying the local server, with localhost or a loopback address, discloses the banner of the tested service. And in one case, where the banner was not visible, long response times indicated that the port was available. The screenshot below illustrates a successful port scan of the local host.

Proof of Concept (PoC)

URL: /webhooks
Comment: It is possible for a remote user to scan the open ports of the server that hosts the gophish admin application. Furthermore, the error messages reveals parts of the available service’s banners. For example SSH’s “Debian-9“.

URL: /sending_profiles
Comment: It is possible for a remote user to scan the open ports of the server that hosts the gophish admin application. Open ports are disclosed by long response times after pressing the “Send“ button of the “Send Test Email“ feature.

URL: /landing_pages
Comment: It is possible for a remote user to scan the open ports of the server that hosts the gophish admin application. Furthermore, the error messages reveals parts of the available service’s banners. For example SSH’s “Debian-9“.

URL: /settings
Comment: It is possible for a remote user to scan the open ports of the server that hosts the gophish admin application. Furthermore, the error messages reveals parts of the available service’s banners. For example SSH’s “SSH-2.0-OpenSSH_7.9p1 Debian-9“.