WeGIA SQL Injection Vulnerability in processa_deletar_socio.php Endpoint

A SQL injection vulnerability has been identified in WeGIA versions prior to 3.4.5. The issue resides in the 'id_socio' parameter of the '/WeGIA/html/socio/sistema/processa_deletar_socio.php' endpoint. This vulnerability allows attackers to execute arbitrary SQL commands, potentially compromising the confidentiality, integrity, and availability of the application's data.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command execution, leading to confidential data exfiltration, database compromise, and potential denial-of-service conditions through time-delay queries.

Reproduction

To reproduce this vulnerability, send a POST request to the '/WeGIA/html/socio/sistema/processa_deletar_socio.php' endpoint. Include the 'id_socio' parameter with a value of '1' and the 'pessoa' parameter with a value of 'fisica'. The request should be made with the appropriate headers to simulate a normal user interaction, such as 'User-Agent' and 'X-Requested-With'.

Remediation

Users can upgrade to WeGIA version 3.4.5 or later to address this vulnerability.