SOCA Access Control System Information Disclosure Vulnerability

Multiple insecure direct object reference vulnerabilities have been identified in the SOCA Access Control System version 180612. These vulnerabilities allow attackers to access sensitive user credentials, including password hashes and PINs, through unprotected endpoints such as Get_Permissions_From_DB.php and Ac10_ReadSortCard.

Impact

Exploitation of these vulnerabilities leads to unauthorized access to sensitive user information, including password hashes and PINs.

Reproduction

The vulnerability can be reproduced by sending a request to the Get_Permissions_From_DB.php endpoint with a valid PHP session cookie. This will return a JSON response containing the password hashes of authenticated users. For unauthenticated users, PINs can be retrieved by sending a POST request to the Ac10_ReadSortCard endpoint with the appropriate reader data. The response will include the PINs associated with the accessed cards.