Portabilis i-Educar SQL Injection Vulnerability in Tabelas de Arredondamento Component

A SQL injection vulnerability has been identified in the Portabilis i-Educar application, affecting versions through 2.10. The issue arises in the Tabelas de Arredondamento component, specifically within the '/module/TabelaArredondamento/view' endpoint. The vulnerability is triggered by manipulating the 'id' parameter, allowing attackers to execute arbitrary SQL commands on the backend database. This exploitation could lead to unauthorized data access, database enumeration, data manipulation, and a denial-of-service condition via time-based delays. The vulnerability can be exploited remotely, and an exploit is publicly available.

Impact

Exploitation of this vulnerability allows for blind, time-based SQL injection, where injected SQL payloads are executed by the database. This could be used to read, modify, or delete database records, extract database schema information, and cause time-based delays that disrupt normal application availability.

Reproduction

To reproduce this vulnerability, navigate to the 'Tabelas de Arredondamento' page within the i-Educar application. Ensure that the user account has permissions to create or list items in the 'Escola' menu. Once on the vulnerable page, the SQL injection can be executed by manipulating the 'id' parameter in the request URL. For example, injecting a payload that exploits the application's SQL query handling can demonstrate the vulnerability, such as one that uses a time-based SQL injection technique to create a delay in the server's response.