OpenSTAManager Time-Based Blind SQL Injection Vulnerability in Article Pricing Module

A critical time-based blind SQL injection vulnerability has been identified in OpenSTAManager versions through 2.9.8. The issue resides in the article pricing completion handler, where the application inadequately sanitizes the 'idarticolo' parameter before incorporating it into SQL queries. This flaw enables authenticated attackers to inject arbitrary SQL commands, exploiting time-based Boolean inference to extract sensitive information, including complete database contents, user credentials, customer data, and financial records.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can execute arbitrary SQL commands and extract data from the database. This includes sensitive information such as user credentials, customer details, and financial records. The vulnerability was confirmed and tested on a live instance of OpenSTAManager version 2.9.8.

Reproduction

To reproduce this vulnerability, an authenticated user must send a GET request to the '/ajax_complete.php?op=getprezzi' endpoint, including a crafted 'idarticolo' parameter that exploits the SQL injection flaw. The injection can be verified by using a payload that causes a time delay, such as 'SLEEP()', which demonstrates the successful execution of the injected SQL code. Once the vulnerability is confirmed, data extraction can be performed by sequentially retrieving database information character by character, leveraging the time-based response to indicate the correctness of each extracted character.

Remediation

Users are advised to update to the latest version of OpenSTAManager, as version 2.9.8 is vulnerable and no patched version is currently available.