WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The remover_produto_ocultar.php script uses extract($_REQUEST) to populate local variables and then directly concatenates these variables into a SQL query executed via PDO::query. This allows an authenticated (or auth-bypassed) attacker to execute arbitrary SQL commands. This can be used to exfiltrate sensitive data from the database or, as demonstrated in this PoC, cause a time-based delay (denial of service). This vulnerability is fixed in 3.6.6.
The remover_produto_ocultar.php script uses the extract($_REQUEST) function to automatically create local variables based on user-submitted data. The values of these variables are then directly concatenated into an SQL query executed by PDO::query, without any sanitization or use of parameterized queries. An attacker – authenticated or bypassing authorization mechanisms – can inject arbitrary SQL commands in this way, such as time-based payload causing server response delay (Denial of Service).
An attacker can extract sensitive data from the application database or launch a DoS attack using time-based SQL injection technique. Due to the network vector without required privileges, the scale of potential exposure is very large.
WeGIA should be updated to version 3.6.6 or later, in which the vulnerability has been fixed. Details are available in the vendor references: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w7g3-87cr-8m83
WeGIA in versions before 3.6.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HWegia
APPWegia< 3.6.6
Related vulnerabilities
Reflected XSS w WeGIA — wstrzyknięcie kodu przez parametr sccd
Reflected XSS w WeGIA — wstrzyknięcie kodu JS przez parametr GET
SQL Injection w WeGIA — kompromitacja bazy danych przez parametr id_produto
WeGIA – pominięcie uwierzytelnienia w adicionar_tipo_docs_atendido.php
WeGIA – RCE przez command injection w funkcji przywracania bazy danych