CVE-2024-57031
📋 TL;DR
WeGIA versions below 3.2.0 contain a SQL injection vulnerability in the /funcionario/remuneracao.php endpoint via the id_funcionario parameter. This allows attackers to execute arbitrary SQL commands on the database. Organizations using WeGIA for personnel management are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, privilege escalation, and potential remote code execution on the database server.
Likely Case
Unauthorized access to sensitive employee remuneration data, personal information disclosure, and potential database manipulation.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only error messages or partial data exposure.
🎯 Exploit Status
Exploitation requires access to the vulnerable endpoint, which may require authentication. SQL injection is a well-understood attack vector with many automated tools available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.0
Vendor Advisory: https://www.wegia.org/
Restart Required: No
Instructions:
1. Backup your WeGIA installation and database. 2. Download WeGIA version 3.2.0 or later from the official website. 3. Replace the vulnerable files with the patched version. 4. Verify the fix by testing the id_funcionario parameter.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to ensure id_funcionario contains only numeric characters.
Modify /funcionario/remuneracao.php to add: if (!is_numeric($_GET['id_funcionario'])) { die('Invalid input'); }
Web Application Firewall (WAF)
allDeploy a WAF with SQL injection protection rules to block malicious requests.
🧯 If You Can't Patch
- Restrict access to /funcionario/remuneracao.php endpoint using network ACLs or authentication.
- Implement database user with minimal privileges (read-only if possible) for the application.
🔍 How to Verify
Check if Vulnerable:
Test the /funcionario/remuneracao.php endpoint with a payload like: id_funcionario=1' OR '1'='1 and observe if SQL errors or unexpected data is returned.Check Version:
Check the WeGIA version in the admin panel or configuration files.Verify Fix Applied:
After patching, test with the same SQL injection payload; it should return an error message or no data instead of executing the SQL.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple requests to /funcionario/remuneracao.php with suspicious parameters (e.g., containing quotes, SQL keywords)
Network Indicators:
- HTTP requests to /funcionario/remuneracao.php with parameters containing SQL syntax (UNION, SELECT, etc.)
SIEM Query:
source="web_logs" AND uri_path="/funcionario/remuneracao.php" AND (param="%27%" OR param="%20OR%20" OR param="%20UNION%20")