WeGIA SQL Injection Vulnerability in profile_paciente.php Endpoint

A SQL Injection vulnerability has been identified in WeGIA versions prior to 3.4.5. The issue resides in the 'id_fichamedica' parameter of the '/html/saude/profile_paciente.php' endpoint. This vulnerability allows attackers to manipulate SQL queries, potentially leading to unauthorized access to sensitive database information, such as table names and personal data. The vulnerability can be exploited by sending crafted SQL payloads that, for example, use SQL injection techniques to delay the response, indicating successful exploitation.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive database information, including user data and application logs. It also enables database enumeration, revealing schemas, tables, users, and application versions. Additionally, this vulnerability could lead to a full compromise of the application if combined with other vulnerabilities.

Reproduction

The vulnerability can be reproduced by sending a request to the '/html/saude/profile_paciente.php' endpoint with a crafted 'id_fichamedica' parameter. The payload can include SQL injection techniques, such as using 'AND SLEEP(10)' to test for SQL injection vulnerability. Once the vulnerability is confirmed, it can be exploited to access sensitive database information.

Remediation

Users can upgrade to WeGIA version 3.4.5 or later to address this vulnerability.