i-Educar Authenticated Time-Based SQL Injection Vulnerability

A time-based SQL injection vulnerability has been identified in i-Educar school management software, in versions through 2.10.0. The issue resides in the 'ieducar/intranet/funcionario_vinculo_cad.php' script, where the 'cod_funcionario_vinculo' GET parameter is improperly sanitized before being included in an SQL query. This vulnerability allows authenticated attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access or manipulation.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary SQL commands, with the potential to read, modify, or delete any database data. This could include sensitive information about students, staff, and financial records. Additionally, the vulnerability could be used to execute resource-intensive queries that disrupt database availability, causing a denial-of-service condition.

Reproduction

To reproduce this vulnerability, log into the i-Educar application with a valid account. Then, navigate to 'ieducar/intranet/funcionario_vinculo_cad.php' and include a crafted 'cod_funcionario_vinculo' parameter that injects a SQL payload, such as a 'UNION SELECT' statement that includes a time-based function like 'pg_sleep()'. The application will take longer to respond, indicating successful exploitation.

Remediation

Users are advised to update to the patched version of i-Educar, which is available on the project's GitHub repository.