OpenSTAManager Time-Based Blind SQL Injection Vulnerability in AJAX Select Handlers

A time-based blind SQL injection vulnerability has been identified in OpenSTAManager versions prior to 2.10.2. The issue arises in multiple AJAX select handlers, where the 'options[stato]' GET parameter is vulnerable to injection. The user-supplied value is directly concatenated into SQL WHERE clauses without proper sanitization or validation. This vulnerability allows authenticated attackers to inject arbitrary SQL statements, potentially leading to the extraction of sensitive data from the MySQL database, including usernames, password hashes, financial records, and other stored information.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can extract data from the database by injecting SQL payloads that manipulate the execution time of the database queries. This could be used to retrieve sensitive information such as user credentials and financial records.

Reproduction

To reproduce this vulnerability, an authenticated user can send a GET request to '/ajax_select.php' with the 'options[stato]' parameter containing a crafted SQL payload. The injection can be verified by using SQL functions that cause a delay, such as 'SLEEP()', and observing the response time.

Remediation

Users are advised to update to OpenSTAManager version 2.10.2 or later, where this vulnerability has been patched.