WeGIA Path Traversal Vulnerability in File Download Endpoint Allowing Unauthorized File Access

A path traversal vulnerability has been identified in the WeGIA application, specifically in the file download endpoint located at 'html/socio/sistema/download_remessa.php'. This vulnerability, present in versions through 3.4.7, allows unauthorized access to local files on the server, including sensitive information stored in 'config.php', which contains database credentials. The vulnerability exists because user input is not properly sanitized before constructing file paths, and the endpoint can be accessed without authentication.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files, including database configuration details that could allow direct database access. Additionally, the vulnerability could be exploited to access other sensitive system files, potentially leading to further attacks.

Reproduction

The vulnerability can be reproduced by sending a GET request to the 'download_remessa.php' endpoint with a crafted 'file' parameter that includes directory traversal sequences. This request can be made without any authentication.

Remediation

The vulnerability has been patched in WeGIA version 3.4.8, which removes the vulnerable 'download_remessa.php' file from the application.