CVE-2025-65022
📋 TL;DR
An authenticated time-based SQL injection vulnerability in i-Educar school management software allows attackers with valid user credentials to execute arbitrary SQL commands against the database. This affects all users running i-Educar versions 2.10.0 and earlier. The vulnerability exists in the agenda.php script where user input is not properly sanitized before being included in SQL queries.
💻 Affected Systems
- i-Educar
📦 What is this software?
I Educar by Portabilis
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution on the database server.
Likely Case
Unauthorized data access and exfiltration of sensitive student, staff, and financial information stored in the database.
If Mitigated
Limited impact if proper input validation and parameterized queries are implemented, restricting SQL injection attempts.
🎯 Exploit Status
Exploitation requires authenticated access but uses well-known SQL injection techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit b473f92 and later
Vendor Advisory: https://github.com/portabilis/i-educar/security/advisories/GHSA-4hrj-5gwx-r4w4
Restart Required: No
Instructions:
1. Update to the latest i-Educar version containing commit b473f92. 2. Apply the patch manually if using older version. 3. Verify the fix by testing the agenda.php endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to only accept numeric values for the cod_agenda parameter
Add validation in agenda.php: if(!is_numeric($_REQUEST['cod_agenda'])) { die('Invalid input'); }
WAF Rule
allImplement web application firewall rules to block SQL injection patterns
ModSecurity rule: SecRule ARGS:cod_agenda "@detectSQLi" "id:1001,phase:2,deny,status:403"
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for all user inputs
- Restrict database user permissions to minimum required and implement network segmentation
🔍 How to Verify
Check if Vulnerable:
Test the ieducar/intranet/agenda.php endpoint with SQL injection payloads in the cod_agenda parameter and observe time delaysCheck Version:
Check i-Educar version in admin panel or review git commit historyVerify Fix Applied:
Verify that commit b473f92 is present in your installation and test that SQL injection attempts no longer work📡 Detection & Monitoring
Log Indicators:
- Multiple failed SQL queries from same user session
- Unusual database query patterns in application logs
- Long-running queries on agenda.php endpoint
Network Indicators:
- Repeated requests to agenda.php with varying cod_agenda parameters
- Requests containing SQL keywords like SLEEP, WAITFOR, BENCHMARK
SIEM Query:
source="web_logs" AND uri="/ieducar/intranet/agenda.php" AND (query="*SLEEP*" OR query="*WAITFOR*" OR query="*BENCHMARK*")