OpenSTAManager Error-Based SQL Injection Vulnerability in Scadenzario Module Bulk Operations

A critical error-based SQL injection vulnerability has been identified in OpenSTAManager versions prior to 2.9.8. The issue resides in the bulk operations handler of the Scadenzario (Payment Schedule) module. The vulnerability arises because the application does not properly validate the elements of the id_records array, allowing attackers to inject arbitrary SQL commands. This exploitation can lead to the extraction of sensitive data, such as user credentials and financial records, through XML error messages.

Impact

Exploitation of this vulnerability allows authenticated users with access to the Scadenzario module's bulk operations to inject SQL commands that could be executed by the database. This could result in unauthorized data access, including extraction of database contents like user credentials and financial records, potentially leading to further exploitation or privacy violations.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to '/actions.php' with the 'id_records[]' parameter containing a crafted SQL injection payload. The injection takes place in the 'id_module=18' context, which corresponds to the Scadenzario module. The absence of proper input validation allows the injected SQL to be executed, exploiting the application’s error handling to extract sensitive information from the database.

Remediation

The vulnerability can be addressed by implementing proper validation of the 'id_records' array to ensure that all elements are integers before they are used in the SQL IN() clause. This can be done by applying a type validation that filters the array to include only positive integer values.