Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-31894 is a vulnerability in the WeGIA web manager version 3.6.5 related to the backup restore process. The loadBackupDB() function extracts tar.gz archives using PHP's PharData class into a temporary directory and then reads SQL files from the extracted contents. However, it does not validate whether the extracted archive members are symbolic links."}, {'type': 'paragraph', 'content': 'An attacker can craft a malicious backup archive containing a symbolic link named like an SQL file (e.g., "backup.sql") that points to any arbitrary readable file on the server. When the archive is restored, the symbolic link is extracted, and the system reads the linked file\'s contents instead of a legitimate SQL file. This can lead to arbitrary file read and information disclosure.'}, {'type': 'paragraph', 'content': 'The vulnerability is classified as CWE-59 (Improper Link Resolution Before File Access) and was fixed in version 3.6.6 by adding checks to reject symbolic links and prevent directory traversal during backup restoration.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to arbitrary file read and information disclosure on the server running WeGIA. An attacker exploiting this flaw can craft a malicious backup archive that, when restored, causes the system to read and potentially leak sensitive files such as configuration files or system files.

Although the MySQL import process fails when reading these files, error messages may leak the contents of the targeted files, exposing sensitive information to an attacker with access to the backup restore feature.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting backup archives for the presence of symbolic links that could be exploited during the restore process. Specifically, you should check extracted backup directories for symbolic links and verify that all files reside within the expected temporary directory.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect symbolic links in the extracted backup directory include:'}, {'type': 'list_item', 'content': "Use the 'find' command to locate symbolic links: find /path/to/extracted/backup -type l"}, {'type': 'list_item', 'content': 'Check real paths of files to ensure they reside within the expected directory: realpath /path/to/extracted/backup/*'}, {'type': 'list_item', 'content': 'Recursively list files and check for symlinks using PHP scripts or similar tools that implement is_link() checks.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include validating backup archives before restoration to ensure they do not contain symbolic links or files that resolve outside the intended temporary directory.

Specifically, you should:

• Implement checks to reject any backup archive containing symbolic links by iterating over extracted files and using is_link() to detect symlinks.
• Verify that the real paths of all extracted files start with the temporary directory path to prevent directory traversal.
• Ensure that exactly one SQL file is present, that it is a regular file (not a symlink), and that it resides within the temporary directory.
• Upgrade WeGIA to version 3.6.6 or later, where this vulnerability is fixed.

Useful 0 Not Useful 0