cbcvebase.
CVE-2014-8673
published 2020-01-07

CVE-2014-8673: Multiple SQL vulnerabilities exist in planning.php, user_list.php, projets.php, user_groupes.php, and groupe_list.php in Simple Online Planning…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.94%
95.6th percentile
Multiple SQL vulnerabilities exist in planning.php, user_list.php, projets.php, user_groupes.php, and groupe_list.php in Simple Online Planning (SOPPlanning)before 1.33.

Affected

1 ranges
VendorProductVersion rangeFixed in
soplanningsoplanning<= 1.32

Detection & IOCsextracted from sources · hover to see the quote

path/process/planning.php
path/export_csv.php
urlhttp://localhost/user_list.php?page=1&order=1,1&by=
urlhttp://localhost/projets.php?order=1,0&by=
urlhttp://localhost/user_groupes.php?page=1&order=1,(select%20case%20when%20(1=1)%20then%201%20else%201*(select%201%20from%20information_schema.tables)end)=1&by=
urlhttp://localhost/groupe_list.php?page=1&order=1,(select%20case%20when%20(1=0)%20then%201%20else%201*(select%201%20from%20information_schema.tables)end)=1&by=
urlhttp://localhost/process/planning.php?triPlanning=1,1
urlhttp://localhost/process/planning.php?triPlanning=1,0
urlhttp://localhost/export_pdf.php?debug=1
commandfiltreGroupeProjet=1&projet_anything=anything') union all select 111,table_name,333,444,555,666,777,888,999 from information_schema.tables#
path/tmp/poc_soplanning.txt
  • Detect blind SQLi exploitation attempts via GET parameters 'order' and 'by' in user_list.php, projets.php, user_groupes.php, and groupe_list.php — look for comma-separated numeric values or nested SELECT subqueries in the 'order' parameter.
  • Detect blind SQLi via the 'triPlanning' GET parameter in process/planning.php with comma-separated values (e.g., triPlanning=1,1 or triPlanning=1,0); results are observable via export_pdf.php?debug=1.
  • Detect SQLi via the 'nb_lignes' cookie containing SQL INTO OUTFILE syntax when visiting /process/planning.php; monitor for cookie values containing SQL keywords such as 'into outfile'.
  • The application uses addslashes() for SQLi sanitization instead of mysql_real_escape_string(), making it bypassable; flag any SOPlanning instance running version 1.32 or prior as vulnerable.
  • Exfiltration of SQLi results occurs through /export_csv.php after a successful UNION injection via planning.php POST; correlate POST to planning.php with subsequent GET to export_csv.php from the same session.
  • ·The SQLi via nb_lignes cookie requires the attacker to have a valid session cookie (soplanning=) for the LIMIT injection vector in process/planning.php.
  • ·The triPlanning blind SQLi PoC requires that the HTTP client does NOT follow the redirect back to ../planning.php, where sanitization is applied; automated scanners that follow redirects may miss this vector.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.