WeGIA SQL Injection Vulnerability in Product Restoration Endpoint

A SQL injection vulnerability has been identified in WeGIA, a web management tool for charitable organizations, in versions prior to 3.6.6. The issue resides in the 'html/matPat/restaurar_produto.php' file, where the 'id_produto' parameter from the '$_GET' superglobal is directly inserted into SQL queries without proper sanitization or parameterization. This flaw allows for unauthorized database access and manipulation.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the database, allowing attackers to read, modify, or delete database information. Additionally, there is a potential for executing operating system commands through MySQL's 'INTO OUTFILE' or User Defined Functions.

Reproduction

To reproduce this vulnerability, log into WeGIA with valid credentials and ensure the user has 'Material Patrimonial' permission. Then, send a GET request to 'html/matPat/restaurar_produto.php' with the 'id_produto' parameter crafted to exploit the SQL injection, such as by using 'EXTRACTVALUE' to retrieve database information. The response will include the extracted data, demonstrating the successful exploitation of the vulnerability.

Remediation

Users are advised to update WeGIA to version 3.6.6 or later, where this vulnerability has been fixed.