OpenSTAManager Error-Based SQL Injection Vulnerability in Prima Nota Module

A critical error-based SQL injection vulnerability has been identified in OpenSTAManager versions prior to 2.9.8, specifically within the Prima Nota (Journal Entry) module's add.php file. The vulnerability arises because the application does not properly validate that comma-separated values from the id_documenti GET parameter are integers before incorporating them into SQL IN() clauses. This oversight allows attackers to inject arbitrary SQL commands, exploiting the error handling to extract sensitive data via XML error messages.

Impact

Exploitation of this vulnerability allows authenticated users to perform error-based SQL injection, potentially leading to the extraction of complete database contents, including user credentials, customer personal information, and financial records.

Reproduction

To reproduce this vulnerability, an authenticated user can send a GET request to the '/modules/primanota/add.php' endpoint with a crafted 'id_documenti' parameter. The parameter should include a payload that exploits the SQL injection vulnerability, such as injecting SQL syntax that manipulates the query execution. The response will contain an error message that reveals extracted database information, confirming the successful exploitation of the vulnerability.

Remediation

The vulnerability can be addressed by implementing proper type validation for the 'id_documenti' parameter. This involves ensuring that all values are integers and filtering out any zero or negative IDs.