Ech0 User Enumeration and Data Exposure Vulnerability

A vulnerability in Ech0, an open-source publishing platform, allows for remote, unauthenticated user enumeration and exposure of user profile metadata. This issue is present in versions prior to 4.2.0, where the 'GET /api/allusers' endpoint is publicly accessible without authentication. The vulnerability arises from an access control bypass, enabling unauthorized access to user data. The flaw can be exploited by calling the public user-list endpoint, which responds with a list of user profiles, including sensitive information such as usernames and email addresses.

Impact

The vulnerability bypasses access controls, leading to unauthorized exposure of user data. This allows for account reconnaissance and could facilitate targeted credential attacks.

Reproduction

To reproduce this vulnerability, send a request to the '/api/allusers' endpoint without authentication. The response will include a list of user profiles and their metadata. In contrast, a request to the '/api/user' endpoint, which requires authentication, will return a '401 Unauthorized' status.

Remediation

Users can upgrade to Ech0 version 4.2.0 or later, where this vulnerability has been patched.