WeGIA Authentication Bypass Vulnerability via Unsafe Use of the extract() Function

A critical authentication bypass vulnerability has been identified in WeGIA, a web management application for charitable institutions, in versions prior to 3.6.5. The vulnerability arises from an unsafe use of the extract() function on the $_REQUEST superglobal, which allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This exploitation can completely bypass authentication checks, granting unauthorized access to administrative and protected areas of the WeGIA application. The issue is present in several critical files, including the login handler and various protected endpoints.

Impact

Exploitation of this vulnerability allows any unauthenticated attacker to gain full administrative access to the WeGIA system. This includes the ability to manipulate data, access sensitive information such as personally identifiable information of socio members, and potentially achieve remote code execution through the application's backup functionality.

Reproduction

To reproduce this vulnerability, send a POST request to 'html/login.php' with the 'cpf' parameter set to 'admin' and the 'c' parameter set to 'true'. This will bypass the password check and establish an authenticated session as an administrator. Alternatively, in scripts like 'remover_produto_ocultar.php', the 'extract()' function can be used to overwrite session variables or bypass authorization checks, depending on the script's execution flow.

Remediation

Users can update to WeGIA version 3.6.5 or later, where this vulnerability has been fixed.