WeGIA Uncontrolled Resource Consumption Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in WeGIA, a web management tool for charitable institutions. The issue arises from the server's inability to validate the length of the 'fid' parameter in HTTP GET requests, allowing URLs to be extended up to 8,142 characters. This lack of validation leads to excessive resource consumption, increased latency, timeouts, and read errors, causing server instability. The vulnerability has been confirmed to be exploitable, with tests showing a significant impact on server performance.

Impact

Exploitation of this vulnerability causes severe degradation of server performance, leading to increased latency, timeouts, and read errors. This resource exhaustion disrupts normal service operations, causing instability and unavailability of the application, particularly in critical environments.

Reproduction

To reproduce this vulnerability, send an HTTP GET request to the WeGIA server with a 'fid' parameter and a 'file_url' parameter. Append additional 'param' parameters to the request to increase the URL length up to 8,142 characters. This can be done using a script that automates the process of adding repeated parameters. The server will process the request, leading to high resource consumption and potential timeouts or read errors.

Remediation

Users can upgrade to WeGIA version 3.3.0 to address this vulnerability.