OpenSTAManager SQL Injection Vulnerability in Aggiornamenti Module

A SQL injection vulnerability has been identified in the Aggiornamenti (Updates) module of OpenSTAManager, prior to version 2.10.2. The vulnerability arises from a database conflict resolution feature that allows authenticated users to send arbitrary SQL commands via a JSON array, which are then executed directly on the database without any validation or sanitization. This exploitation can lead to unauthorized database modifications, including the execution of destructive SQL commands. Additionally, foreign key checks are disabled before executing the injected queries, further compromising database integrity.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary SQL commands, with the potential to manipulate the database extensively. This includes creating, modifying, or deleting database tables and records. Such actions could disrupt application functionality, cause data loss, or, depending on the MySQL server configuration, lead to arbitrary file writing or execution of operating system commands.

Reproduction

To reproduce this vulnerability, an authenticated user with access to the Aggiornamenti module can send a POST request to the 'editor.php' file, including the 'op=risolvi-conflitti-database' operation and a JSON array of SQL queries. The absence of input validation allows for the execution of any SQL command, such as 'DROP TABLE', 'CREATE TABLE', or 'INSERT INTO' commands, demonstrating full control over the database.

Remediation

Users can update to OpenSTAManager version 2.10.2 or later, where this vulnerability has been patched. Instructions for downloading the latest version are available on the OpenSTAManager GitHub releases page.