CVE-2018-25129
Insecure Direct Object Reference in SOCA Access Control Exposes Credentials
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| soca | access_control_system | 4.0 |
| apache | http_server | 2.2.22 |
| soca_technology_co.,_ltd | soca_access_control_system | 141007 |
| soca_technology_co.,_ltd | soca_access_control_system | 170000 |
| php | php | 5.4.13 |
| soca_technology_co.,_ltd | soca_access_control_system | 180612 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in SOCA Access Control System 180612 is an insecure direct object reference (IDOR) flaw that allows attackers to bypass authorization controls and access sensitive user credentials. Authenticated users can retrieve password hashes via the Get_Permission_From_DB.php endpoint, while unauthenticated attackers can obtain card numbers and PINs through the Ac10_ReadSortCard CGI endpoint. Additionally, a phpinfo.php page exposes detailed PHP configuration information, aiding further exploitation. These issues arise from improper access control and insufficient input validation. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive user credentials such as password hashes and card PINs. Attackers can gain access to authenticated user password hashes and unauthenticated access to card numbers and PINs, which may be default values like '0000'. This exposure can compromise the security of the access control system, potentially allowing attackers to bypass physical security measures, impersonate users, and gain unauthorized entry. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the vulnerable endpoints that disclose sensitive information. For authenticated detection, use a curl command with a valid PHP session cookie to access the endpoint Get_Permission_From_DB.php, which returns JSON data containing user IDs and password hashes. For example: curl --cookie "PHPSESSID=your_session_id" http://target/Get_Permission_From_DB.php. For unauthenticated detection, send a crafted POST request to the Ac10_ReadSortCard CGI endpoint at Reader_Action.cgi/Ac10_ReadSortCard, which returns JSON data with card numbers and PINs. Additionally, check for the presence of a phpinfo.php page that exposes PHP configuration details. These commands help verify if the system is vulnerable by confirming if sensitive data is accessible through these endpoints. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoints such as Get_Permission_From_DB.php and Reader_Action.cgi/Ac10_ReadSortCard by implementing proper authorization checks and access controls. Disable or restrict access to the phpinfo.php page to prevent exposure of PHP configuration information. Additionally, review and update the application to validate user input properly and prevent insecure direct object references (IDOR). Applying patches or updates from the vendor, if available, is also recommended to address these security flaws. [1, 2]