WeGIA OS Command Injection Vulnerability in Debug Information Endpoint

A command injection vulnerability has been identified in WeGIA versions prior to 3.4.2. The issue resides in the '/html/configuracao/debug_info.php' endpoint, where the 'branch' parameter is not properly sanitized before being executed as a shell command on the server. This vulnerability allows unauthenticated attackers to execute arbitrary commands with the privileges of the web server user (www-data), potentially compromising the application's and server's confidentiality, integrity, and availability.

Impact

Exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary commands on the server, with the www-data user's privileges. This could lead to unauthorized access to sensitive files, modification or deletion of files, execution of resource-intensive commands causing a denial-of-service, and using the compromised server to attack other systems on the internal network.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/html/configuracao/debug_info.php' endpoint. The 'branch' parameter should be injected with shell metacharacters, such as semicolons, to execute arbitrary commands on the server. The 'action' parameter must also be included, with the value set to 'switch'.

Remediation

Users are advised to update WeGIA to version 3.4.2 or later, where this vulnerability has been patched.