Ghostwriter v4.0.0-rc3

Summary

This release candidate includes all the changes from v4.0.0-rc2 with clean-up, bug fixes, and adjustments following feedback. This release also includes a new feature, support for adding project-specific points of contact.

CHANGELOG

[4.0.0-rc3] - 15 September 2023

Added

• Added a "People" tab to the project dashboard that shows the project's assignments and client contacts
• Added configuration options for managing browser sessions
  • SESSION_COOKIE_AGE sets the number of seconds a session cookie will last before expiring
  • SESSION_EXPIRE_AT_BROWSER_CLOSE sets whether the session cookie will expire when the browser is closed
  • SESSION_SAVE_EVERY_REQUEST sets whether the session cookie will be saved on every request
• Added support for two-factor authentication using TOTP
• Added support for adding contacts to projects
  • Supports creating project-specific contacts and adding contacts from the client
  • Project contacts appear under the new contacts key in the report data
  • A project contact can be flagged as the primary contact and mark the contact as the report recipient
  • The primary contact appears under the new recipient key in the report data
• Added autocomplete options to filter forms for the finding, domain, and server libraries
• Added an option to copy an activity log entry to your clipboard as JSON for easier sharing

Changed

• Separated the project form into two forms: one for the project details and assignments and one for project components (e.g., white cards, objectives)
  • This allows accounts with the user role to edit project components without permission to edit the project or its assignments
• Moved project assignments to the new "People" tab on the project dashboard
• Hid menus and buttons for features that are not available to the current user
• Access to the admin console is now routed through the main login form to require 2FA (if enabled for the user)
• The CVSS Vector and "added as blank" fields on report findings are now optional as they were meant to be

Fixed

• Fixed an issue that would prevent new projects from saving properly

Removed

• Removed the unused restricted account role
  • This is a clean-up for the release candidate; the restricted role was experimental and never implemented in the access controls
• Removed the user role's privileges to create, edit, and delete project assignments and client contacts to better adhere to the role's intended permissions
• Removed permissions for updating report templates via the GraphQL API
  • This option will return in a future release when it is possible to upload a template file via the API

Ghostwriter v3.2.11

Summary

This release resolves a some minor issues identified by the community.

CHANGELOG

[3.2.11] - 5 September 2023

Added

• Added CVSS and tags to the finding rows in the Excel workbook report (xlsx)

Fixed

• Fixed the project_type keyword not working in report generation

Ghostwriter v4.0.0-rc2

Summary

This release candidate includes all the changes from v4.0.0-rc1 with clean-up, bug fixes, and adjustments following feedback. This release also includes a major new feature, support for 2FA.

CHANGELOG

[4.0.0-rc2] - 21 August 2023

Added

• Added a "People" tab to the project dashboard that shows the project's assignments and client contacts
• Added configuration options for managing browser sessions
  • SESSION_COOKIE_AGE sets the number of seconds a session cookie will last before expiring
  • SESSION_EXPIRE_AT_BROWSER_CLOSE sets whether the session cookie will expire when the browser is closed
  • SESSION_SAVE_EVERY_REQUEST sets whether the session cookie will be saved on every request
• Added support for two-factor authentication using TOTP

Changed

• Separated the project form into two forms: one for the project details and assignments and one for project components (e.g., white cards, objectives)
  • This allows accounts with the user role to edit project components without permission to edit the project or its assignments
• Moved project assignments to the new "People" tab on the project dashboard
• Hid menus and buttons for features that are not available to the current user
• Access to the admin console is now routed through the main login form to require 2FA (if enabled for the user)

Fixed

• Fixed an issue that would prevent new projects from saving properly

Removed

• Removed the unused restricted account role
  • This is a clean-up for the release candidate; the restricted role was experimental and never implemented in the access controls
• Removed the user role's privileges to create, edit, and delete project assignments and client contacts to better adhere to the role's intended permissions
• Removed permissions for updating report templates via the GraphQL API
  • This option will return in a future release when it is possible to upload a template file via the API

Ghostwriter v3.2.10

Summary

This release resolves a potential issue with domain libraries synced with Namecheap.

CHANGELOG

[3.2.10] - 13 July 2023

Fixed

• Adjusted logic for marking a domain as expired when syncing with Namecheap
  • A domain marked as auto-renewable can expire, so Ghostwriter will now also mark a domain as expired and disable auto-renew if the API response has AutoRenew and IsExpired both set to true

Ghostwriter v4.0.0-rc1

Summary

This is the first release candidate for Ghostwriter v4.0.0. The most substantial change is the application of Role-Based Access Controls to the user interface. This version has been stable for 30 days and is ready for testing and feedback.

CHANGELOG

[4.0.0-beta] - 30 June 2023

Added

• Added the option for admins to control who can create, edit, and delete findings in the global library
  • Admins can control each of these permissions separately via the admin panel

Changed

• Applied the authorization model to the user interface for role-based access control
  • Accounts with the manager role will not notice a difference
  • For more information: https://www.ghostwriter.wiki/features/graphql-api/authorization
  • When viewing server and domain history, if a user does not have access to the client or project, the client and project names will be hidden
• Changed the activity log import to make it possible to select the log to update
  • The oplog_id header is no longer required in the csv and will be ignored
• Refined the domain and server view pages to match the user interface and experience of the project dashboard
• Updated the Hasura GraphQL Engine to v2.28.0

Removed

• Removed the legacy REST API endpoints for activity logs
  • The GraphQL API has been the primary API for activity logs since v3.0.0
  • Legacy API keys will no longer work for activity logs
  • The current release of the cobalt_sync project will not work with Ghostwriter v4.0.0-beta (look for cobalt_sync v2.0 to be released later this year)

Security

• Increased the versions of several dependencies to address security vulnerabilities in these packages

Ghostwriter v3.2.9

Summary

This release includes quality-of-life enhancements and closes a potential security issue with the Excel reports.

CHANGELOG

[3.2.9] - 13 June 2023

Added

• Added CVSS and tags to the finding rows in the Excel workbook report (xlsx)

Changed

• Added a linter error message to offer suggestions for the often confusing expected token 'end of print statement', got 'such' Jinja2 syntax error

Fixed

• The linter will now recognize the id value on findings as valid

Security

• Added checks to escape potential formulas in Excel workbooks
  • Please see security advisory for details: GHSA-6367-mm8f-96gr

Ghostwriter v3.2.8

Summary

This release fixes some minor bugs and includes some quality-of-life improvements.

CHANGELOG

[3.2.8] - 24 May 2023

Added

• Added a popover tooltip to the dashboard calendar's events to show the full title and additional details about the event
• Added a get_item filter for use in report templates that allows you to retrieve a single item from a list of items
• Added the Sugar parser to the JavaScript to improve international date parsing

Changed

• Assignments displayed in the calendar and on the dashboard now show the project role for the assignment (Closes #311)
• The server will now allow domains with expiration dates in the past to be checked out if auto-renew is enabled
• Updated the pre-built Ghostwriter CLI binaries to v0.2.13

Fixed

• Fixed an issue with the domain expiration dates sorting as integers
• Fixed an issue that could prevent releasing a domain if the domain's registrar was empty

Ghostwriter v3.2.7

Summary

This release resolves an issue with the sidebar search fields and some quality-of-life changes and additions.

CHANGELOG

[v3.2.7] - 1 May 2023

Added

• Added support for exporting and importing tags for the current import/export models (log entries, domains, servers, and findings)
• Added a case change formatting option to the WYSIWYG editor

Changed

• The legacy REST API key notification for new activity logs now displays the log's ID to be used with the API and extensions like mythic_sync and cobalt_sync
• When creating a new activity log from the project dashboard, that project will now be automatically selected for the new log

Fixed

• Fixed sidebar search boxes not working as intended following changes in v3.2.3 (Closes #294)

Ghostwriter v3.2.6

Summary

This release fixes a bug affecting evidence uploads introduced in v3.2.3.

CHANGELOG

[v3.2.6] - 10 April 2023

Changed

• Changed the project assignments list on the home dashboard to show the assignment's start and end dates instead of the project's start and end dates (Closes #302)

Fixed

• Fixed an issue that would cause a server error when uploading or editing an evidence file to a blank finding (Fixes #303)

Ghostwriter v3.2.5

Summary

This small patch addresses an issue with editing timestamps in activity log entries and adds the option to insert a report's title into the download filename.

CHANGELOG

[v3.2.5] - 31 March 2023

Added

• A report's title can now be added to the report download filename template as a new title variable

Changed

• The global report configuration can now be reviewed on the management page (/home/management/)

Fixed

• Fixed an issue that prevented saving an edited activity log entry when editing a timestamps seconds value