WeGIA SQL Injection Vulnerability in Dependente Remover Endpoint

A SQL injection vulnerability has been identified in WeGIA versions prior to 3.4.10. The issue resides in the '/html/funcionario/dependente_remover.php' endpoint, specifically within the 'id_funcionario' parameter. This vulnerability allows attackers to execute arbitrary SQL commands, potentially compromising the database's confidentiality, integrity, and availability.

Impact

Exploitation of this vulnerability allows for unauthorized execution of SQL commands, which could lead to unauthorized access to sensitive data, manipulation of database information, and disruption of database operations. Additionally, according to the WeGIA advisory, this vulnerability could be escalated to remote code execution, depending on the database configuration.

Reproduction

To reproduce this vulnerability, log into the application and obtain the session cookie. Then, send a request to the '/html/funcionario/dependente_remover.php' endpoint with an 'id_funcionario' payload that includes a SQL injection, such as '0 or sleep(3)'. This payload will introduce a delay in the response, indicating that the SQL injection was successful. Note that the 'id_dependente' parameter must be set to a valid value that exists in the database.

Remediation

Users can update to WeGIA version 3.4.10 or later, where this vulnerability has been patched.