Portabilis i-Educar SQL Injection Vulnerability in Area Knowledge Module

A SQL injection vulnerability has been identified in the Portabilis i-Educar application, affecting versions up to 2.10. The issue arises in the 'id' parameter of the '/module/AreaConhecimento/edit' endpoint, within the 'Listagem de áreas de conhecimento' page. This vulnerability allows remote attackers to manipulate SQL queries, potentially leading to unauthorized data access, database enumeration, data manipulation, and denial-of-service conditions through time-based payloads. Exploitation requires an account with permissions to access the 'Escola' menu.

Impact

Exploitation of this vulnerability allows for blind, time-based SQL injection, where injected SQL commands are executed on the database with a delay that can be observed in the application's response. This could be used to extract, modify, or delete database records, enumerate database structures, and potentially access sensitive information. The time-based nature of the injection could also be used to disrupt the application's availability.

Reproduction

To reproduce this vulnerability, navigate to the 'Listagem de áreas de conhecimento' page within the i-Educar application. Ensure that the account used has permissions to create or list items in the 'Escola' menu. Once on the vulnerable page, send a POST request to the '/module/AreaConhecimento/edit' endpoint with a crafted 'id' parameter that includes a SQL payload designed to exploit the injection vulnerability. The server's response time will increase, indicating that the SQL injection was successful.