WeGIA Backup Restoration SQL Injection Vulnerability Allowing Arbitrary Database Operations

A vulnerability in WeGIA versions 3.6.5 and 3.6.6 allows for arbitrary SQL execution through the backup restoration feature. The issue arises because the loadBackupDB() function imports SQL files from uploaded backup archives without proper content validation. This flaw enables an attacker to craft a backup archive containing malicious SQL statements that could create unauthorized administrator accounts, alter existing passwords, or perform any database operation. The vulnerability was introduced in version 3.6.5 and has been patched in version 3.6.7.

Impact

Exploitation of this vulnerability could lead to the creation of unauthorized administrator accounts, modification of user passwords, and arbitrary manipulation of the database, including potentially destructive operations such as dropping tables.

Reproduction

To reproduce this vulnerability, create a .tar.gz archive containing a SQL file with crafted SQL statements, such as an INSERT command to add a rogue administrator account. Upload this archive through the admin backup restore feature. The SQL commands will be executed with full database privileges, allowing access as the newly created administrator.

Remediation

Users can update to WeGIA version 3.6.7, where this vulnerability has been patched.