WeGIA Authenticated SQL Injection Vulnerability in restaurar_produto.php Endpoint

A critical authenticated SQL injection vulnerability has been identified in the WeGIA web application for charitable institutions, specifically in versions through 3.6.5. The issue resides in the html/matPat/restaurar_produto.php endpoint, where the id_produto GET parameter is directly taken from the $_GET array and inserted into SQL queries without any form of sanitization or parameterization. This flaw allows authenticated attackers to execute arbitrary SQL commands, potentially leading to a complete compromise of the application's database.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, with the potential to extract, modify, or delete database records. This could disrupt service or grant unauthorized administrative access. In some database configurations, it could even lead to remote code execution.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the restaurar_produto.php endpoint with a crafted id_produto parameter that includes SQL injection payloads. The injected SQL commands will be executed by the database, allowing the attacker to manipulate the database or extract sensitive information. For example, a payload could be used to delay the server's response, demonstrating the injection's effectiveness.

Remediation

Users can upgrade to WeGIA version 3.6.6, which addresses this vulnerability.