WeGIA Information Disclosure Vulnerability in Error Handling

A vulnerability in WeGIA, a web management tool for charitable organizations, allows for information disclosure through overly descriptive error messages in versions prior to 3.7.0. The error messages, which include database-related details, could help an attacker map the backend infrastructure and expand the attack surface. This vulnerability is fixed in version 3.7.0.

Impact

The verbose error messages can leak sensitive implementation details, such as allowed file extensions, maximum buffer sizes, or the specific image processing libraries in use. This information could enable an attacker to create a tailored payload to evade security filters and validation processes.

Reproduction

To reproduce this vulnerability, access the 'atendido/familiar_docfamiliar.php' URL on a WeGIA installation prior to version 3.7.0. The application will display an error message containing database-related information. This error handling vulnerability can be exploited by uploading files that trigger similar verbose error responses, thereby leaking sensitive implementation details.

Remediation

Users can upgrade to WeGIA version 3.7.0 or later to address this vulnerability.