Executive Summary

CVE-2026-31895 is a high-severity SQL injection vulnerability found in the WeGIA web application, specifically in the file html/matPat/restaurar_produto.php in versions prior to 3.6.6.

The vulnerability occurs because the id_produto parameter, taken directly from the HTTP GET request, is inserted into SQL queries without any sanitization, input validation, or use of prepared statements.

This unsafe coding practice allows an authenticated user with Material Patrimonial permission to manipulate the SQL queries, potentially extracting sensitive data or modifying the database.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including:

• Full read access to the database, exposing sensitive information such as credentials, personally identifiable information (PII), and financial data.
• Ability to modify or delete database contents, potentially disrupting application functionality or corrupting data.
• Potential execution of operating system commands through MySQL features like INTO OUTFILE or User Defined Functions (UDF), leading to further system compromise.

Overall, this vulnerability can lead to severe data breaches and system compromise.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by testing the vulnerable parameter `id_produto` in the URL of the affected endpoint `html/matPat/restaurar_produto.php` for injection attempts.'}, {'type': 'paragraph', 'content': 'A common detection method is to send crafted HTTP GET requests with SQL injection payloads and observe the responses for database error messages or unexpected data leakage.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability (requires an authenticated session with Material Patrimonial permission):'}, {'type': 'list_item', 'content': 'curl -i -b "PHPSESSID=<valid_session>" "http://target/html/matPat/restaurar_produto.php?id_produto=1 AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT user())))"'}, {'type': 'paragraph', 'content': "If the response contains an XPATH syntax error revealing the database user (e.g., `SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '[email protected]'`), it confirms the presence of the SQL injection vulnerability."}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade the WeGIA application to version 3.6.6 or later, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, restrict access to the vulnerable endpoint to only trusted and authenticated users with the necessary permissions.'}, {'type': 'paragraph', 'content': 'Additionally, review and replace all direct SQL query interpolations with prepared statements using parameter binding to prevent SQL injection.'}, {'type': 'paragraph', 'content': 'Example of a secure code fix:'}, {'type': 'list_item', 'content': "$idProduto = $_GET['id_produto'];"}, {'type': 'list_item', 'content': '$stmt = $pdo->prepare("SELECT ... WHERE p.id_produto = :id");'}, {'type': 'list_item', 'content': "$stmt->bindParam(':id', $idProduto, PDO::PARAM_INT);"}, {'type': 'list_item', 'content': '$stmt->execute();'}, {'type': 'paragraph', 'content': 'Also, audit the codebase for other instances of unsafe input handling, such as the widespread use of `extract($_REQUEST)`, and apply similar fixes.'}] [1]

Useful 0 Not Useful 0