WeGIA SQL Injection Vulnerability in remover_produto_ocultar.php Prior to Version 3.6.6

A critical SQL injection vulnerability has been identified in the WeGIA application, which is a web manager for charitable institutions. The issue resides in the remover_produto_ocultar.php script, where user input is improperly handled. The script uses extract($_REQUEST) to create local variables, which are then directly inserted into a SQL query executed via PDO::query. This vulnerability allows an authenticated or auth-bypassed attacker to execute arbitrary SQL commands, potentially leading to the exfiltration of sensitive data from the database or causing a time-based delay as a form of denial-of-service. The vulnerability affects WeGIA versions through 3.6.5 and has been patched in version 3.6.6.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command execution, leading to a complete compromise of the database. An attacker could extract sensitive information such as user credentials, patient records, and financial data. The ability to execute arbitrary SQL also permits data modification or deletion, causing potential data loss or manipulation.

Reproduction

To reproduce this vulnerability, authenticate using the bypass method available in login.php. Then, send a GET request to remover_produto_ocultar.php, including a payload in the almoxarifado parameter that exploits the SQL injection. The payload should be crafted to manipulate the SQL query and, for example, cause a time-based delay to demonstrate the successful exploitation of the vulnerability.

Remediation

Users are advised to update to WeGIA version 3.6.6 or later, where this vulnerability has been fixed.