CVE-2014-8673
published 2020-01-07CVE-2014-8673: Multiple SQL vulnerabilities exist in planning.php, user_list.php, projets.php, user_groupes.php, and groupe_list.php in Simple Online Planning…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.94%
95.6th percentile
Multiple SQL vulnerabilities exist in planning.php, user_list.php, projets.php, user_groupes.php, and groupe_list.php in Simple Online Planning (SOPPlanning)before 1.33.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| soplanning | soplanning | <= 1.32 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://localhost/user_groupes.php?page=1&order=1,(select%20case%20when%20(1=1)%20then%201%20else%201*(select%201%20from%20information_schema.tables)end)=1&by=↗
urlhttp://localhost/groupe_list.php?page=1&order=1,(select%20case%20when%20(1=0)%20then%201%20else%201*(select%201%20from%20information_schema.tables)end)=1&by=↗
commandfiltreGroupeProjet=1&projet_anything=anything') union all select 111,table_name,333,444,555,666,777,888,999 from information_schema.tables#↗
- →Detect blind SQLi exploitation attempts via GET parameters 'order' and 'by' in user_list.php, projets.php, user_groupes.php, and groupe_list.php — look for comma-separated numeric values or nested SELECT subqueries in the 'order' parameter. ↗
- →Detect blind SQLi via the 'triPlanning' GET parameter in process/planning.php with comma-separated values (e.g., triPlanning=1,1 or triPlanning=1,0); results are observable via export_pdf.php?debug=1. ↗
- →Detect SQLi via the 'nb_lignes' cookie containing SQL INTO OUTFILE syntax when visiting /process/planning.php; monitor for cookie values containing SQL keywords such as 'into outfile'. ↗
- →The application uses addslashes() for SQLi sanitization instead of mysql_real_escape_string(), making it bypassable; flag any SOPlanning instance running version 1.32 or prior as vulnerable. ↗
- →Exfiltration of SQLi results occurs through /export_csv.php after a successful UNION injection via planning.php POST; correlate POST to planning.php with subsequent GET to export_csv.php from the same session. ↗
- ·The SQLi via nb_lignes cookie requires the attacker to have a valid session cookie (soplanning=) for the LIMIT injection vector in process/planning.php. ↗
- ·The triPlanning blind SQLi PoC requires that the HTTP client does NOT follow the redirect back to ../planning.php, where sanitization is applied; automated scanners that follow redirects may miss this vector. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/132654/Simple-Online-Planning-Tool-1.3.2-XSS-SQL-Injection-Traversal.htmlhttp://seclists.org/fulldisclosure/2015/Jul/44http://www.securityfocus.com/bid/75726https://www.exploit-db.com/exploits/37604/http://packetstormsecurity.com/files/132654/Simple-Online-Planning-Tool-1.3.2-XSS-SQL-Injection-Traversal.htmlhttp://seclists.org/fulldisclosure/2015/Jul/44http://www.securityfocus.com/bid/75726https://www.exploit-db.com/exploits/37604/
2020-01-07
Published