OpenSTAManager SQL Injection Vulnerability in ajax_complete.php Endpoint

A SQL injection vulnerability has been identified in OpenSTAManager versions through 2.9.8. The issue arises in the ajax_complete.php endpoint while processing the get_sedi operation. An authenticated attacker can exploit this vulnerability by injecting malicious SQL code through the idanagrafica parameter, potentially leading to unauthorized access to the database.

Impact

Exploitation of this vulnerability allows for complete extraction of the database, including sensitive information such as user credentials, customer data, and financial records. Additionally, it could enable privilege escalation by modifying the zz_users table to gain admin access, unauthorized changes or deletions of records, and potentially remote code execution via SELECT ... INTO OUTFILE if file permissions permit.

Reproduction

The vulnerability can be reproduced by sending a GET request to ajax_complete.php with the op parameter set to get_sedi and the idanagrafica parameter containing a crafted SQL payload. This payload should include a time-based blind SQL injection technique, such as a command that causes a delay in the response, indicating successful exploitation.

Remediation

To address this vulnerability, replace the direct concatenation of user input into SQL queries with prepared statements. This approach eliminates the risk of SQL injection by properly sanitizing and handling user input before it is executed as part of a SQL command.