WeGIA Denial-of-Service Vulnerability via Recursive Crawling of Dynamic URLs

A denial-of-service vulnerability has been identified in WeGIA, an open-source web manager for institutions, targeting Portuguese-speaking users. This vulnerability allows any unauthenticated user to disrupt server availability by engaging in aggressive spidering, particularly with tools like OWASP ZAP. The issue arises from recursive crawling of dynamically generated URLs, combined with inadequate management of high request volumes. Affected versions include WeGIA versions through 3.2.15, with the vulnerability patched in version 3.2.16.

Impact

Exploitation of this vulnerability leads to a significant denial-of-service condition, causing the server to become unresponsive. This disruption can interrupt business operations, with logs indicating repeated requests to dynamic URLs and static file directories.

Reproduction

To reproduce this vulnerability, install OWASP ZAP version 2.15.0 or higher. Configure the Spider to start at 'https://comfirewall.wegia.org:8000/', enable recursion, set the maximum crawl depth to unlimited, and allow form processing. Start the Spider and monitor the server's response. After a few seconds, the server should become unresponsive or begin returning HTTP 5xx errors, indicating a successful denial-of-service condition.

Remediation

Users can update to WeGIA version 3.2.16 or later to address this vulnerability.