WeGIA Remote Code Execution Vulnerability in Database Restoration Functionality

A critical remote code execution vulnerability has been identified in the WeGIA application, which is a web manager for charitable institutions. This vulnerability exists in versions prior to 3.6.5, within the application's database restoration feature. An attacker with administrative access, which can be obtained through a previously reported authentication bypass, can execute arbitrary operating system commands on the server. This is achieved by uploading a backup file with a specially crafted filename that exploits the command execution flaw. When the file is processed during the restoration, the injected commands are executed on the server.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, as the web server user. This could lead to a complete compromise of the host system.

Reproduction

The vulnerability can be reproduced by first bypassing authentication to gain administrative access. After establishing a session, a file can be uploaded through the 'importar_dump.php' script, using a filename that includes injected commands. Once the file is uploaded, the 'gerenciar_backup.php' script can be used to trigger the execution of the injected commands by selecting the uploaded file for restoration.

Remediation

Users are advised to update to WeGIA version 3.6.5 or later, where this vulnerability has been patched.