WeGIA Uncontrolled Resource Consumption Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in WeGIA, a web management application for charitable institutions. The issue arises from the server's inability to validate the length of the 'errorstr' parameter in HTTP GET requests, allowing URLs of up to 8,142 characters. This flaw leads to excessive resource consumption, increased latency, timeouts, and read errors, making the server vulnerable to DoS attacks. The vulnerability affects WeGIA versions prior to 3.3.0.

Impact

Exploitation of this vulnerability causes significant resource exhaustion, slowing down or disrupting the service. It leads to high latency, timeouts, and read errors, indicating a struggle to manage the load. This vulnerability poses a critical risk to the application's availability, particularly in environments where WeGIA is essential for operations.

Reproduction

To reproduce this vulnerability, send an HTTP GET request to the WeGIA server with the 'errorstr' parameter filled with repeated characters, totaling up to 8,000 characters. This can be done using a 'curl' command or by simulating a high-load attack with the 'wrk' tool, which can process over 20,000 requests in a minute, causing significant timeouts and read errors.

Remediation

Users can upgrade to WeGIA version 3.3.0 or later to address this vulnerability.