There is a blind SQL injection in the “aku” parameter. Once authenticated the internal file id is disclosed in the URL when a file is requested (only decoding Base64).
Something like:
http://site/opendocman-1.2.5/details.php?aku=aWQ9MTImc3RhdGU9Mg==
is equals to
http://site/opendocman-1.2.5/details.php?aku= id=12&state=2
then can be seen that id value is 12. Like in the follow example...
