WeGIA SQL Injection Vulnerability in DespachoDAO.php Allowing Arbitrary SQL Execution

A SQL injection vulnerability has been identified in WeGIA, a web management tool for charitable institutions, in versions prior to 3.6.9. The issue resides in the DespachoDAO.php file, where the id_memorando parameter is taken from the request without proper validation and directly inserted into SQL queries. This flaw enables authenticated users to execute arbitrary SQL commands against the database. The vulnerability arises because the application extracts request parameters unconditionally and without sanitization, allowing direct manipulation of SQL queries.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability also exposes the entire WeGIA database, which contains sensitive personal information, staff records, and financial data. In database configurations that allow file operations, this could result in remote code execution.

Reproduction

To reproduce this vulnerability, an authenticated session is required. Any account with access to the memorando module can exploit this issue. Once authenticated, send a POST request to the WeGIA control.php endpoint, including the id_memorando parameter with a crafted SQL payload. The injection point can be confirmed by introducing a syntax error, which will trigger a database error response indicating the presence of the SQL injection vulnerability. After confirming the injection, the database name, version, and current user can be extracted using similar crafted payloads. Once the SQL injection is confirmed and the database information is retrieved, the vulnerability can be exploited to enumerate database tables and extract or manipulate data.

Remediation

Users can update to WeGIA version 3.6.9 or later, where this vulnerability has been patched.