WeGIA SQL Injection Vulnerability Allowing Arbitrary Database Queries

A SQL injection vulnerability has been identified in WeGIA versions prior to 3.6.10. The issue resides in the 'dao/memorando/UsuarioDAO.php' file, where the 'cpf_usuario' POST parameter can overwrite the session-stored user identity. This is achieved through the 'extract()' function in 'DespachoControle::verificarDespacho()'. The injected value is then directly interpolated into a raw SQL query, enabling any authenticated user to access the database under a different identity.

Impact

Exploitation of this vulnerability allows for unauthorized database access, with the potential to extract sensitive information. In this case, the entire 'pessoa' table can be accessed, which contains CPF numbers, passwords, and personal data of all residents and staff registered in the system. The vulnerability also undermines the application's session management, as it allows users to impersonate others without detection.

Reproduction

To reproduce this vulnerability, an authenticated session is required. Once logged in, send a POST request to 'WeGIA/controle/control.php' with the 'cpf_usuario' parameter set to an arbitrary value, such as 'admin''. The injected value will overwrite the session's user identity. After confirming the session override by checking for a SQL syntax error in the response, the SQL injection can be exploited by extracting data from the 'pessoa' table using crafted payloads that bypass SQL query sanitization.

Remediation

Users can update to WeGIA version 3.6.10 or later, where this vulnerability has been patched.