WeGIA SQL Injection Vulnerability in Dependente Listar Endpoint

A SQL injection vulnerability has been identified in the WeGIA web application, specifically in versions prior to 3.5.1. The issue resides in the '/html/funcionario/dependente_listar.php' endpoint, within the 'id_funcionario' parameter. This vulnerability allows attackers to execute arbitrary SQL commands, potentially compromising the database's confidentiality, integrity, and availability.

Impact

Exploitation of this vulnerability allows for unauthorized execution of SQL commands, leading to unauthorized access to sensitive data, manipulation of database information, and potential disruption of application operations. Additionally, according to the advisory, this vulnerability could be chained with others for a full application compromise.

Reproduction

To reproduce this vulnerability, log into the application to obtain a session cookie. Then, send a POST request to the '/html/funcionario/dependente_listar.php' endpoint with a crafted 'id_funcionario' parameter that includes a SQL injection payload, such as '1 UNION SELECT version()'. This payload exploits the SQL injection by injecting a UNION SELECT statement that, in this case, retrieves the database version.

Remediation

Users are advised to update to WeGIA version 3.5.1 or later, where this vulnerability has been patched.