WeGIA Backup Restoration Symlink Traversal Vulnerability Allowing Arbitrary File Read

A symlink traversal vulnerability allowing arbitrary file read has been identified in WeGIA version 3.6.5. This issue arises in the 'loadBackupDB()' function, where tar.gz archives are extracted using PHP's PharData class. The extraction process and subsequent reading of SQL files from the extracted contents do not validate whether archive members are symbolic links. As a result, an attacker can create a malicious archive containing a symlink to a readable file, such as the WeGIA configuration file or '/etc/passwd', and exploit the vulnerability through the admin backup restore feature.

Impact

Exploitation of this vulnerability allows for arbitrary file read via symlink traversal, with confirmed impacts including unauthorized access to sensitive files such as the WeGIA configuration file (which contains database credentials) and the '/etc/passwd' file.

Reproduction

To reproduce this vulnerability, create a tar.gz archive containing a symlink named 'backup.sql' that points to a readable file, such as '/var/www/html/wegia/config.php'. Upload the archive through the admin backup restore feature. The 'loadBackupDB()' function will extract the symlink to a temporary directory, where it can be followed to read the target file. The extracted file contents will be passed to MySQL import, resulting in an error message disclosing the file contents.

Remediation

Users are advised to update to WeGIA version 3.6.6, where this vulnerability has been fixed. The latest version can be downloaded from the WeGIA GitHub repository.