WeGIA Information Disclosure Vulnerability in File Upload Error Handling

A vulnerability exists in WeGIA, a web management application for charitable institutions, in versions prior to 3.6.10. The issue arises in the file upload feature of 'funcionario/docdependente_upload.php', where the application generates overly detailed error messages in response to malicious file uploads. This excessive error information can lead to unauthorized information disclosure, allowing potential attackers to gain technical insights that could be used to enhance their exploitation strategies.

Impact

The verbose error messages during file uploads can unintentionally reveal sensitive implementation details, such as allowed file types, maximum file sizes, or specific image processing libraries in use. This information could enable an attacker to create a tailored payload that evades existing security measures and validation processes.

Reproduction

To reproduce this vulnerability, upload a file containing malicious content through the 'funcionario/docdependente_upload.php' endpoint. The application will respond with a detailed error message that discloses technical information about the file upload process.

Remediation

Users can upgrade to WeGIA version 3.6.10 or later to address this vulnerability.