WeGIA Open Redirect Vulnerability in Backup Redirection

An open redirect vulnerability has been identified in WeGIA, a web manager for charitable institutions, in versions prior to 3.6.9. The issue arises because the redirect parameter is taken directly from the URL query string without any validation or whitelist check. This unvalidated input is then used verbatim in a 'Location' header redirect. The vulnerability can be exploited by sending a crafted link to an admin, which, when clicked, redirects to a site controlled by the attacker, potentially leading to phishing or malware distribution.

Impact

Exploitation allows for phishing attacks by redirecting users to fraudulent sites that mimic legitimate WeGIA pages, creating a false sense of security. This could be used to steal credentials or distribute malware. Additionally, such redirects could disrupt normal authentication processes or damage trust in the WeGIA platform.

Reproduction

To reproduce this vulnerability, an admin session is required. Send a GET request to the 'WeGIA/html/configuracao/backup.php' endpoint with the 'action' parameter set to 'bd' and the 'redirect' parameter pointing to an external URL, such as 'https://evil.com'. After the backup process completes, the server will respond with a redirect to the specified URL, including a success message.

Remediation

Users can update to WeGIA version 3.6.9 or later, where this vulnerability has been patched.