关键信息 Title: SOCA Access Control System 180612 Information Disclosure Advisory ID: ZSL-2019-5517 Type: Local/Remote Impact: Disclosure of Sensitive Information Risk: (4/5) Release Date: 13.05.2019 Summary Insecure direct object references allow attackers to bypass authorization and access resources and functionalities in the system. Vendor SOCA Technology Co., Ltd - http://www.socatech.com Affected Version 180612, 170000, 141007 Tested On Windows NT 6.1 build 7601 (Windows 7 SP1) i586 Windows NT 6.2 build 9200 (Windows Server 2012 SE) i586 Apache/2.2.22 (Win32) PHP/5.4.13 Vendor Status N/A PoC socainfo.txt Credits Discovered by Gjoko Krstic - References 1. https://www.exploit-db.com/exploits/46832 2. https://packetstormsecurity.com/files/152836 3. https://cxsecurity.com/issue/WLB-2019050152 4. https://exchange.xforce.ibmcloud.com/vulnerabilities/160978 Changelog [13.05.2019] - Initial release [15.05.2019] - Added reference [4]