Portabilis i-Educar SQL Injection Vulnerability in Formula de Cálculo de Média Page

A SQL injection vulnerability has been identified in Portabilis i-Educar versions through 2.10. The issue resides in the '/module/FormulaMedia/edit' endpoint, specifically within the 'id' parameter. This vulnerability allows remote attackers to inject arbitrary SQL commands, which are executed by the backend database. The flaw arises from inadequate validation and sanitization of user input, enabling SQL payloads to be crafted and executed. Exploitation of this vulnerability could lead to unauthorized data access, database enumeration, data manipulation, and denial-of-service conditions via time-based delays.

Impact

Exploitation of this vulnerability allows for blind, time-based SQL injection, where injected SQL commands can be executed on the database. This could be used to read or modify database records, extract database schema information, or cause a denial-of-service by slowing down the application response time. Additionally, according to VulnDB, this vulnerability could potentially be escalated to remote code execution under certain conditions.

Reproduction

To reproduce this vulnerability, navigate to the 'Escola > Cadastros > Tipos > Regras de Avaliação > Formula de Cálculo de Média' section in the application. Once there, access the '/module/FormulaMedia/edit' endpoint and inject a crafted SQL payload into the 'id' parameter. The injection can be verified by observing a delay in the server response, indicating that the SQL command was executed.