WeGIA Password Change Vulnerability Due to Incorrect Access Control

A vulnerability exists in WeGIA versions prior to 3.2.0, specifically in the controle/control.php file, where the application fails to properly validate the old password during password change requests. This flaw allows users to reset their passwords by entering any value in the 'senha_antiga' field, bypassing authentication requirements. The issue enables unauthorized password changes for any user, including administrators.

Impact

Exploitation of this vulnerability allows for unauthorized password changes, potentially leading to account takeover, including admin accounts.

Reproduction

To reproduce this vulnerability, send a POST request to the '/WeGIA/controle/control.php' endpoint. Include a random value in the 'senha_antiga' parameter, and set the 'nova_senha' and 'confirmar_senha' parameters to the desired new password. The request can also include 'nomeClasse', 'metodo', 'redir', and 'id_pessoa' parameters as part of the password change process. After the request is processed, the new password can be used to log in, effectively demonstrating the vulnerability by changing the password of an admin user.