Gophish just got better.

We're excited to announce the release of Gophish v0.12.1. This is a minor release that includes a couple of bug fixes and one great new feature.

Added Trusted Origins to CSRF Handler

We've added the ability to set trusted_origins in the config.json file. This allows you to add addresses that you expect incoming connections to come from, which is helpful in cases where TLS termination is handled by a load balancer upstream, rather than the application itself. This has been a long discussed and requested feature so it's great to have! Thanks to @mcab and everyone else in this thread.

Updated Workflows

Our Continuous Integration workflow has been updated and is succeeding again. We've also updated the Release workflow, mitigating some security concerns and adapting it be able to build Windows releases again. These are (hopefully!) at the bottom of this post.

Minor fixes

Some JavaScript files hadn't been minified properly, causing problems with adding customer headers. A small bug was fixed where copying a campaign would not show [Deleted] in an edge case - see #2482. Thanks @29vivek.

Changelog

You can find the full changelog for this release here.

How to Upgrade

To upgrade, download the release for your platform, extract into a folder, and copy (remember to copy, not move so that you have a backup) your existing gophish.db file into the new directory. Then, run the new Gophish binary and you'll be good to go!

Now, one more thing:

We want to hear from you!

Have questions, comments, or feature ideas about Gophish? Let us know by filing an issue.

Enjoy

Gophish just got better.

We're excited to announce the release of Gophish v0.12.0. This release includes important security fixes, adds some features, and fixes some bugs.

Attachment Tracking

This has been a long time requested feature, and we're super excited to release it! We've added the ability to add gophish variables to a number of file types which can be attached to emails. As a trivial example it is possible to include Hello {{.FirstName}}, please click here: {{.URL}} to a Word document, or with a little more effort add tracking pixels to documents. This will allow notification of when users have opened attached files, or enabled macros in Office documents. We currently support the following file extensions: docx, docm, pptx, xlsx, xlsm, txt, html, ics. Please see the documentation for more guidance and examples.

Inline Image Attachments #1525

Images in emails are now marked as embedded rather than attached, so email clients don't show them as attachments. This is a great addition to improve the quality of campaigns. Thanks @dzsibi

Custom Sender Envelopes #2334

We've added the ability to specify an envelope sender in templates. If left empty, it will fallback to the SMTP-From in the Sender-settings. This can be used to pass SPF-checks but still send a spoofing email. Thanks @ChessSpider and @ptitdoc

Added functionality to lock accounts #2060

Added minor functionality to display last login time for each user in the User Management page and the ability to lock user accounts.

Open Redirect #2262

Fixed a minor Open Redirect issue. Thanks @Kirill89

Changelog

You can find the full changelog for this release here.

How to Upgrade

To upgrade, download the release for your platform, extract into a folder, and copy (remember to copy, not move so that you have a backup) your existing gophish.db file into the new directory. Then, run the new Gophish binary and you'll be good to go!

Now, one more thing:

We want to hear from you!

Have questions, comments, or feature ideas about Gophish? Let us know by filing an issue.

Enjoy

Gophish just got better.

We're excited to announce the release of Gophish v0.11.0. This release includes important security fixes, adds some minor features, and fixes some bugs.

Security Fixes

This release addresses multiple security issues that were identified and reported by the community. As always, we encourage sending in security reports via our security policy, and are appreciative of all the work that went in to finding and reporting these vulnerabilities.

The following vulnerabilities were fixed in this latest release:

Server-side Request Forgery (SSRF)

Reported by: Marcus Nilsson of usd AG
Reported by: @dunderhay in #1908

An authenticated user could use certain features of Gophish to make inbound connections to the local network. The most critical of these is via the Landing Page import feature, which could be used to make arbitrary upstream web requests.

Since importing local webpages, or otherwise making local network connections (e.g. for SMTP/IMAP servers, webhook URLs, etc.) is an expected use case for Gophish we've decided to implement an opt-in allowlist. By default, we block access only to known IP addresses commonly associated with cloud metadata services, but it is now possible to explicitly set the allowed_internal_hosts configuration variable in the admin_server section of config.json to a list of allowed internal addresses.

More information can be found here.

Cross-Site Scripting (XSS)

Reported By: Marcus Nilsson of usd AG
Reported By: @dunderhay in #1901

Various cross-site scripting issues were identified and fixed. All issues required authenticated access and only affected either the user that created the objects, or an administrator using our "Impersonate" issue to impersonate the user that created the objects.

More information can be found in 4e9b94b and 19ef924.

CSV Injection

Reported By: Marcus Nilsson of usd AG

Malicious data could be submitted during a campaign that, when exported as a CSV and opened in a spreadsheet viewer, is interpreted as a formula leading to command execution.

More information on CSV Injection can be found here. More information about the fix can be found in b25f5ac.

Clickjacking

Reported By: Marcus Nilsson of usd AG

An attacker could create an iframe which tricks an authenticated administrator into unexpectedly clicking the "Reset" button in the settings page, causing their API key to be reset, potentially causing a denial of service condition.

More information about the fix can be found in 6df62e8.

Adding a Password Policy

This release adds a basic password policy for administrators, and removes the default password "gophish". Instead, an initial password is randomly generated and printed in the terminal when Gophish is launched for the first time.

It is possible to override the initial password and API key with environment variables if needed.

More Robust IMAP Support

This release adds the ability to mark emails as reported that were sent as an attachment. Additionally, it changes the underlying IMAP library to be more robust, eliminating some possible bugs.

Credit to @glennzw for the changes!

Changelog

You can find the full changelog for this release here.

How to Upgrade

To upgrade, download the release for your platform, extract into a folder, and copy (remember to copy, not move so that you have a backup) your existing gophish.db file into the new directory. Then, run the new Gophish binary and you'll be good to go!

Now, one more thing:

We want to hear from you!

Have questions, comments, or feature ideas about Gophish? Let us know by filing an issue.

Enjoy

Gophish Just Got Better.

We're excited to announce v0.10.1. This release significantly improves the performance of sending emails, adds some features and fixes bugs.

Here's just a couple of the exciting changes.

Faster Email Sending

Thanks to the detailed report from @edermi in #1726, we were able to dramatically increase the speed at which we send emails- especially for large campaigns.

Impersonation

Administrators often have a need to help troubleshoot issues other users are seeing with Gophish. To make this easier, @glennzw added an impersonation feature in #1812 that allows system administrators to login to a user's account. This is available from the User Management page.

More Frequent Releases

We've also changed our release process to use GitHub Actions. The bad news is that this means we won't be supporting 32-bit Mac or Windows releases at this time (we do support 64-bit releases!). The good news is that this will enable us to do much more frequent Gophish releases, getting awesome features and bugfixes out to the community even quicker.

With this in mind, please do let us know if you run into any issues with the releases below!

Changelog

You can find the full changelog for this release here.

How to Upgrade

To upgrade, download the release for your platform, extract into a folder, and copy (remember to copy, not move so that you have a backup) your existing gophish.db file into the new directory. Then, run the new gophish binary and you'll be good to go!

Now, one more thing:

We want to hear from you!

Have questions, comments, or feature ideas about Gophish? Let us know by filing an issue.

Enjoy

Gophish Just Got Better.

We're excited to announce v0.9.0. This release adds big features, improves performance, and fixes bugs.

Here's just a couple of the exciting changes.

Webhooks

Ever since Gophish was launched, we've had the ability to fetch campaign results via the API. But sometimes, you may want to have campaign updates pushed directly to you as they happen.

To solve this problem, we've added support for webhooks.

When you configure a webhook, Gophish will make (optionally signed) HTTP requests to an endpoint you control. These requests include the JSON body of the event that just happened- the exact same JSON that you would normally receive via the API. This gives you real-time updates to your campaign as they happen.

You can find more information about using webhooks in our documentation.

Webhook support was sponsored by Al Lowenstein and implemented by @GildedHonour in #1642. Thank you both for all your help making this happen!

IMAP Support

I always encourage folks using Gophish to focus not only on minimizing the click through rates, but even more so on increasing the reporting rate. To that end, many companies have an email address they encourage employees to send any potential phishing emails.

I've often got feedback that it'd be great if Gophish emails sent to that email address would automatically show as "reported" in the campaign results. Now that's possible!

Thanks to the great work from @glennzw, you can now configure IMAP details which Gophish will use to fetch any campaign emails, marking them as reported. Thank you for all your amazing work @glennzw!

You can find more information about configuring reporting via IMAP in our documentation.

Thank You

While there are amazing performance improvements and bug fixes included in this release, you'll notice something about the two big features listed above- neither were built by me (@jordan-wright).

This is incredibly exciting. I've long held that the community around Gophish is my favorite thing about the entire project. We have a group of folks contributing to issues, offering advice and feature requests and, with this release, contributing core features that make Gophish even better.

Thank you all for everything you do. We have big things planned for Gophish, and I'm excited to build them alongside you all.

How to Upgrade

To upgrade, download the release for your platform, extract into a folder, and copy (remember to copy, not move so that you have a backup) your existing gophish.db file into the new directory. Then, run the new gophish binary and you'll be good to go!

Now, one more thing:

We want to hear from you!

Have questions, comments, or feature ideas about Gophish? Let us know by filing an issue.

Enjoy

Gophish Just Got Better.

tl;dr - New version of Gophish. Lots of improvements. Binaries can be found above. 😄

We're excited to announce v0.8.0. This release fixes a bunch of bugs, adds a few features, and lays the groundwork for really cool features to come.

RBAC Support

This release includes initial support for Role-Based Access Control (RBAC). Specifically, it introduces global roles that separates admins from non-admins. You can find more information here.

Users API

Users with the admin role have access to the user management API. This API allows you to create and manage users programmatically. You can find documentation for this API here.

Added Docker Support

We've added a Dockerfile so that you can build Gophish in a container. We'll be uploading an official Docker image at gophish/gophish shortly.

Code Refactoring

While this isn't a user-facing change, it's a big one. We've refactored a bunch of the code to be cleaner and more structured. This will help new developers coming into Gophish to get up and running more quickly.

Those are the big changes, but that's certainly not everything! You can find a full changelog here.

How to Upgrade

To upgrade, simply download the release for your platform, extract into a folder, and copy (remember to copy, not move so that you have a backup) your existing gophish.db file into the new directory. Then, run the new gophish binary and you'll be good to go!

Thank You

I want to also take a quick moment to say thank you to everyone. The community is what makes Gophish great. I'm so thankful to everyone who leaves questions, suggests features, and goes the extra mile to help others out.

Thank you all for everything you do!

Now, one more thing:

We want to hear from you!

Have questions, comments, or feature ideas about Gophish? Let us know by filing an issue.

Enjoy!

Note: The VERSION file for these releases still says 0.7.1. This was an oversight during the release process. After upgrading, even if you see 0.7.1, you're certainly running the 0.8.0 codebase. I apologize for the inconvenience!

Whoops!

In the previous version, we introduced the {{.BaseURL}} template variable that points to the root URL. This helps make things like pointing to static files easier. See #1189 for more details.

Turns out, this didn't work for email template validation, since we weren't checking for all possible template tags. I'm sorry for the inconvenience!

Should Be Fixed Now 😄

The good news is that this is fixed now, and should have only been an issue if you were trying to use the new {{.BaseURL}} tag. Since this was something I promised and it didn't work, I wanted to roll out a hotfix.

For all the full details in the latest release, check out the 0.7.0 release notes.

Enjoy!

Gophish Just Got Better.

tl;dr - New version of Gophish. Lots of improvements. Binaries can be found above. 😄

We're excited to announce v0.7.0. This release is packed with improvements that make Gophish more powerful than ever.

Campaign Preview

When setting up a campaign, you want to know what the email and landing page looks like. Previously, to do this you would have to set up a separate campaign just for yourself, since there was no way of testing the full flow.

This isn't good.

In this Gophish release, we've fixed this! Now, when sending a test email from the campaign builder, clicking on the links will load up the landing page, showing you exactly what your recipients would see.

Timed Campaigns

Before this release, emails for a Gophish campaign were all sent at the same time. This is great in some cases, but sometimes you want to spread out the emails over a period of minutes, hours, or even days.

Now you can!

In this release, we've added a new field called "Send Emails By". If you set this field, then Gophish will spread out the emails evenly between the campaign launch and this date.

Device Details

No one likes looking through raw logs to see what kinds of devices are clicking on links. Now you don't have to!

In this release, we parse the user-agents for devices that click links or submit credentials, and we show that information in the campaign details:

Transparency

As mentioned in #1057, we can do a better job of running friendly phishing simulations. The only approved use of Gophish is to run authorized phishing simulations, so we've added some features to make these campaigns more transparent.

Specifically, we've added:

• A contact_address field to the config.json. This field is inserted as an X-Gophish-Contact header in outgoing emails
• An X-Mailer header is set to gophish for outgoing emails
• We've added a transparency handler if you add a "+" to a valid rid. This returns a JSON response containing the contact address and indicates that the email was generated by Gophish

Those are the big features, but that's certainly not everything! You can find a full changelog here.

How to Upgrade

To upgrade, simply download the release for your platform, extract into a folder, and copy (remember to copy, not move so that you have a backup) your existing gophish.db file into the new directory. Then, run the new gophish binary and you'll be good to go!

Thank You

I want to also take a quick moment to say thank you to everyone. The community is what makes Gophish great. I'm so thankful to everyone who leaves questions, suggests features, and goes the extra mile to help others out.

Thank you all for everything you do!

Now, one more thing:

We want to hear from you!

Have questions, comments, or feature ideas about Gophish? Let us know by filing an issue.

Enjoy!

Old hashes (only valid if you downloaded the release immediately after it was published before I got a chance to bump the VERSION file):

Gophish Just Got Better.

tl;dr - New version of Gophish. Lots of improvements. Binaries can be found above. 😄

We're excited to announce v0.6.0 of Gophish! This fix has a bunch of bug fixes (including a couple of low-severity security fixes) and a couple of new features.

Email Reporting

The biggest new feature in this release is the ability for users to report phishing emails to Gophish and to have those reports displayed in the dashboard. We don't have email clients ready for this quite yet, so everything is just implemented on the server-side for now.

Huge thanks to @S0larflare for making this happen!

Bugs Fixed

Here are just a few of the bugs fixed in this release:

• All API endpoints now require an API key. Previously, the /api/reset endpoint required a valid session, but this has been changed for consistency. (#1028)
• We've made some improvements to the way our mailer handles errors (#963)
• Fixed the way the initial admin account is created to avoid throwing errors when using MySQL (#948)

And more!

How to Upgrade

To upgrade, simply download the release for your platform, extract into a folder, and copy (remember to copy, not move so that you have a backup) your existing gophish.db file into the new directory. Then, run the new gophish binary and you'll be good to go!

Thank You

I want to also take a quick moment to say thank you to everyone. The community is what makes Gophish great. I'm so thankful to everyone who leaves questions, suggests features, and goes the extra mile to help others out.

Thank you all for everything you do!

Now, one more thing:

We want to hear from you!

Have questions, comments, or feature ideas about Gophish? Let us know by filing an issue.

Enjoy!