CVE-2014-6308
published 2014-10-20CVE-2014-6308: Directory traversal vulnerability in OSClass before 3.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a render…
PriorityP343medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
22.26%
97.4th percentile
Directory traversal vulnerability in OSClass before 3.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a render action to oc-admin/index.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| osclass | osclass | <= 3.4.1 | — |
| osclass | osclass | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/osclass/oc-admin/index.php?page=appearance&action=render&file=../../../../../../../../../../etc/passwd↗
- →Look for GET requests to oc-admin/index.php with query parameters page=appearance, action=render, and a file parameter containing directory traversal sequences (../). ↗
- →A successful exploitation attempt targeting /etc/passwd will return a response body matching the pattern 'root:.*:0:0:' with HTTP 200 status. ↗
- ·The vulnerability affects OSClass versions 3.4.1 and possibly below; version 3.4.2 contains the fix. Scope detection rules to target only these versions. ↗
- ·The LFI is unauthenticated (Au:N) and network-accessible (AV:N) with low complexity (AC:L), meaning no authentication bypass is required to trigger it. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
OSClass 3.4.1 - 'index.php' Local File Inclusion
exploitdb·2014-09-25·CVSS 5.0
CVE-2014-6308 [MEDIUM] OSClass 3.4.1 - 'index.php' Local File Inclusion
OSClass 3.4.1 - 'index.php' Local File Inclusion
---
Information
Advisory by Netsparker.
Name : LFI Vulnerability in OsClass
Affected Software : OsClass
Affected Versions: 3.4.1 and possibly below
Vendor Homepage : http://osclass.org/
Vulnerability Type : Local File Inclusion
Severity : Critical
CVE-ID: CVE-2014-6308
Netsparker Advisory Reference : NS-14-031
Advisory URL
https://www.netsparker.com/lfi-vulnerability-in-osclass/
Description
Local file inclusion vulnerability where discovered in Osclass, an
open source project that allows you to create a classifieds sites.
Technical Details
Proof of Concept URL for LFI in OsClass:
http://example.com/osclass/oc-admin/index.php?page=appearance&action=render&file=../../../../../../../../../../etc/passwd
Advisory Timeline
03/09/2014 - Firs
Nuclei
Osclass Security Advisory 3.4.1 - Local File Inclusion
nuclei·CVSS 5.0
CVE-2014-6308 [MEDIUM] Osclass Security Advisory 3.4.1 - Local File Inclusion
Osclass Security Advisory 3.4.1 - Local File Inclusion
A directory traversal vulnerability in OSClass before 3.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a render action to oc-admin/index.php.
Template:
id: CVE-2014-6308
info:
name: Osclass Security Advisory 3.4.1 - Local File Inclusion
author: daffainfo
severity: medium
description: A directory traversal vulnerability in OSClass before 3.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a render action to oc-admin/index.php.
impact: |
An attacker can read sensitive files on the server, potentially leading to unauthorized access, data leakage, or further exploitation.
remediation: |
Upgrade to a patched version of Osclass (3.4.2 or later)
http://blog.osclass.org/2014/09/15/osclass-3-4-2-ready-download/http://packetstormsecurity.com/files/128285/OsClass-3.4.1-Local-File-Inclusion.htmlhttp://www.securityfocus.com/archive/1/533456/100/0/threadedhttps://github.com/osclass/Osclass/commit/c163bf5910d0d36424d7fc678da6b03a0e443435https://www.netsparker.com/lfi-vulnerability-in-osclass/http://blog.osclass.org/2014/09/15/osclass-3-4-2-ready-download/http://packetstormsecurity.com/files/128285/OsClass-3.4.1-Local-File-Inclusion.htmlhttp://www.securityfocus.com/archive/1/533456/100/0/threadedhttps://github.com/osclass/Osclass/commit/c163bf5910d0d36424d7fc678da6b03a0e443435https://www.netsparker.com/lfi-vulnerability-in-osclass/
2014-10-20
Published