i-Educar Authenticated Time-Based SQL Injection Vulnerability in Agenda Management

A time-based SQL injection vulnerability has been identified in the i-Educar school management software, specifically in versions through 2.10.0. The issue resides in the 'ieducar/intranet/agenda.php' script, where the 'cod_agenda' request parameter is improperly sanitized before being used in SQL queries. This vulnerability allows authenticated attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access or manipulation.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary SQL commands, bypass authorization, and read, modify, or delete any database data, regardless of user permissions. This could include sensitive information about students, staff, and financial records. Additionally, the vulnerability could be used to execute resource-intensive queries that overload the database server, causing a denial-of-service condition.

Reproduction

To reproduce this vulnerability, log into the i-Educar application with a valid user account. Then, navigate to 'ieducar/intranet/agenda.php' and include a crafted 'cod_agenda' parameter that injects SQL code, such as a payload that uses 'pg_sleep()' to demonstrate the injection.

Remediation

Users can update to the patched version of i-Educar, which is available in the official GitHub repository.