Ech0 Unauthenticated Server-Side Request Forgery Vulnerability in Link Preview Feature

A server-side request forgery (SSRF) vulnerability has been identified in Ech0, an open-source publishing platform, in all versions prior to 4.2.8. The issue arises in the link preview feature, where the application fetches page titles via an unauthenticated API endpoint. This implementation allows attackers to send fully controlled URLs, which the server then retrieves and processes without any validation or security checks. The outbound HTTP client is configured to skip TLS verification, potentially exposing internal services to unauthorized access. Exploitation of this vulnerability could lead to unauthorized server-side requests to internal or reserved network targets, with the possibility of causing a denial-of-service by reading large response bodies into memory.

Impact

Exploitation allows for unauthorized server-side requests to be made to internal or reserved network targets, bypassing usual access controls. This could be used to access sensitive information or services not intended to be exposed. The vulnerability also includes a denial-of-service vector by causing the server to read large amounts of data into memory.

Reproduction

The vulnerability can be reproduced by sending a request to the '/api/website/title' endpoint with a URL of choice. The server will respond with the fetched page title, demonstrating that it has successfully made an outbound request without authentication. To exploit the SSRF vulnerability, a crafted URL can be used to access internal resources, such as the Docker host via 'host.docker.internal'.

Remediation

Users are advised to update to Ech0 version 4.2.8 or later. Additionally, implement a server-side request forgery-safe URL policy by allowing only necessary schemes and hosts, blocking link-local, metadata, and loopback addresses unless explicitly required. Remove 'InsecureSkipVerify' to ensure proper TLS verification, limit HTTP redirects, and add response size or timeout limits.