OpenSTAManager SQL Injection Vulnerability in ajax_select.php Componenti Operation

A SQL injection vulnerability has been identified in OpenSTAManager versions through 2.9.8. The issue occurs in the ajax_select.php file, specifically within the componenti operation. An authenticated attacker can exploit this vulnerability by injecting malicious SQL code through the options[matricola] parameter. The injected SQL is executed without proper sanitization, allowing for potential database manipulation or unauthorized data access.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, enabling an attacker to extract data from the database. Additionally, there is a risk of bypassing authentication to access sensitive component and equipment information, as well as the potential for unauthorized modification of records.

Reproduction

To reproduce this vulnerability, send a GET request to the ajax_select.php endpoint with the op parameter set to 'componenti' and the options[matricola] parameter containing a crafted SQL payload. The SQL injection can be verified by using a payload that, for example, includes a time-based delay, such as 'SLEEP(5)', which would cause the server response to be delayed by five seconds.

Remediation

To address this vulnerability, cast the values of the options[matricola] parameter to integers before using them in the SQL query. This can be done by splitting the parameter value into an array, mapping each value to an integer, and then joining the array back into a string for the SQL query.