i-Educar Authenticated Time-Based SQL Injection Vulnerability in Agenda Administration Script

A time-based SQL injection vulnerability has been identified in the i-Educar school management software, specifically in versions through 2.10.0. The issue resides in the 'ieducar/intranet/agenda_admin_cad.php' script, where the 'cod_agenda' GET parameter is improperly sanitized before being included in an SQL query. This vulnerability allows authenticated attackers to execute arbitrary SQL commands against the application's database.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary SQL commands, potentially leading to unauthorized data access, data modification or deletion, and denial-of-service conditions on the database server.

Reproduction

To reproduce this vulnerability, log into the i-Educar application with a valid account. Then, navigate to the 'agenda_admin_cad.php' page and include a crafted 'cod_agenda' parameter in the URL that injects a time-based SQL command, such as 'pg_sleep()', to confirm the injection.

Remediation

Users are advised to update to the patched version available in the GitHub repository.