What version of Gophish are you using?:

https://github.com/gophish/gophish/releases/download/v0.5.0/gophish-v0.5.0-linux-64bit.zip

Brief description of the issue:

It is possible to reset the API key for the application via CSRF due to the token not being checked. The only required header is the "gophish" cookie. I have seen other endpoints (such as register), successfully validate the CSRF and choke when none or an incorrect token is provided, however I suspect that this endpoint may not be the only one missing the check (it's just the only one I've found so far).

What are you expecting to see happen? :

Expecting to see CSRF validation fail and thus the whole request to fail.

What are you seeing happen?

Seeing API key get reset successfully w/ no CSRF token.

Please provide any terminal output that may be relevant below:

Please provide as many steps as you can to reproduce the problem:

Use this curl command with a local gophish. You will have to swap out the "gophish" cookie with a valid cookie

curl -i -s -k  -X $'POST' \
    -H $'Host: 127.0.0.1:3333' -H $'User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: https://10.0.0.43:3333/settings' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 0' -H $'Cookie: gophish=MTUyMjE1MjM0NHxhUXZZcG5MaTlSRFk0TGgxQk9mbEVWUFh3aG9rT0hOd1RLTGNzbjQ5NnE5alBnUFZWTHJTOFlZTzF3aDY5T2ZBdnJmWWc3cmUzNk5XaTU0PXwJrBQ-NX5gbKypa3MIbnXwoMKBfPGwaTEXoqKNrjXkYQ==' -H $'DNT: 1' -H $'Connection: close' \
    -b $'gophish=MTUyMjE1MjM0NHxhUXZZcG5MaTlSRFk0TGgxQk9mbEVWUFh3aG9rT0hOd1RLTGNzbjQ5NnE5alBnUFZWTHJTOFlZTzF3aDY5T2ZBdnJmWWc3cmUzNk5XaTU0PXwJrBQ-NX5gbKypa3MIbnXwoMKBfPGwaTEXoqKNrjXkYQ==' \
    $'https://127.0.0.1:3333/api/reset'