OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service

Vulnerability

Overview

OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers. The entry point is /ajax_search.php, where the $term parameter undergoes only minimal sanitization (forward slash replacement) before being passed to all module-specific search handlers via /src/AJAX.php::search() [1][2][3].

Exploitation

Details

An authenticated attacker can exploit this vulnerability by sending a crafted term parameter in a GET request to /ajax_search.php. The unsanitized $term is then distributed to over 10 module-specific search handlers (including Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, Interventi) where it is directly concatenated into SQL LIKE clauses without prepared statements. For example, in /modules/articoli/ajax/search.php at line 51, the code builds a query with LIKE "%$term%" allowing arbitrary SQL injection [3]. The attacker can use time-based Boolean inference to extract data by observing response delays.

Impact

Successful exploitation allows an attacker to extract sensitive database contents including password hashes, customer data, and financial records. The vulnerability is amplified by the fact that the injection executes across 10+ modules, increasing the potential for data extraction and enabling a denial-of-service condition through prolonged time-based queries [3].

Mitigation

As of the publication date, no patch has been released. The vendor has confirmed the vulnerability and tested it on a live instance of v2.9.8. Users should monitor the official repository for updates and consider applying input sanitization or using parameterized queries as a workaround [1][3].