Gophish 0.12.1 Denial of Service via Office Document Upload

An authenticated attacker with the User role uploads a crafted Office document (.docx, .pptx, .xlsx) as an email template attachment. The file is a zip bomb — a small ZIP archive containing a single entry that decompresses to several gigabytes (e.g., 5 GB of null bytes). When the template is saved, GoPhish's `ApplyTemplate()` function in `models/attachment.go` opens the archive and calls `ioutil.ReadAll()` on each entry without checking the uncompressed size, causing the server to allocate memory for the full decompressed payload. This exhausts available system memory and the operating system terminates the GoPhish process, resulting in a complete denial of service [ref_id=1] [ref_id=2].

The advisory recommends never reading unbounded data from user-controlled archives. Before processing any ZIP entry, the application should validate both compressed and uncompressed sizes and reject files exceeding a predefined limit (e.g., 50 MB per entry). The fix replaces `ioutil.ReadAll()` with an `io.LimitedReader` that caps the read size; if the limit is reached, the attachment is rejected with an error. Additionally, tracking cumulative extracted size and limiting the total number of files processed within an archive would provide defense-in-depth against zip bombs [ref_id=1].

1. Create a zip bomb: generate a 5 GB file of null bytes, compress it into a ZIP archive, and rename the archive to `exploit.docx` (see PoC Python script in [ref_id=1]). 2. Log in to the GoPhish administrative interface. 3. Navigate to **Email Templates** and create a new template. 4. Click **Add Files** and select the crafted `exploit.docx` file. 5. Save the email template. 6. Observe that memory consumption spikes to several gigabytes and the GoPhish process is terminated by the operating system.