Ech0 Unauthenticated Server-Side Request Forgery Vulnerability Allowing Access to Internal Services and Cloud Metadata

A server-side request forgery (SSRF) vulnerability has been identified in Ech0, an open-source publishing platform, in versions prior to 4.2.8. The vulnerability exists in the GET /api/website/title endpoint, which accepts an arbitrary URL through the website_url query parameter. This endpoint makes an HTTP request to the specified URL without validating the target host or IP address, and it requires no authentication. As a result, an attacker can access internal network services, cloud metadata endpoints (such as AWS metadata service), and services bound to localhost. The vulnerability also allows for partial response data to be exfiltrated via the HTML title tag extraction.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal services and cloud metadata, allowing for reconnaissance of internal networks and potential theft of sensitive data, such as cloud credentials.

Reproduction

The vulnerability can be reproduced by sending a GET request to the /api/website/title endpoint with an arbitrary URL that points to an internal service or cloud metadata endpoint. The response will include the extracted title from the HTML, confirming successful exploitation.

Remediation

Users are advised to update to Ech0 version 4.2.8 or later, and to implement URL validation in the GetWebsiteTitle function to block requests to private or reserved IP ranges.