OpenSTAManager SQL Injection Vulnerability in confronta_righe.php Files Prior to 2.10.2

A SQL injection vulnerability has been identified in OpenSTAManager versions through 2.10.1. The issue resides in the confronta_righe.php files across various modules, where the righe parameter is received via the GET request and directly concatenated into SQL queries without any form of sanitization, parameterization, or validation. This vulnerability allows authenticated attackers to inject arbitrary SQL statements, potentially leading to the extraction of sensitive data from the database, such as user credentials, customer information, invoice data, and other stored data.

Impact

Exploitation of this vulnerability allows for full database extraction, including user credentials (bcrypt hashes), customer data, invoices, contracts, and any other stored information. Additionally, it enables data modification through injected SQL statements, such as INSERT, UPDATE, or DELETE, and could result in the deletion of tables or critical data, causing database corruption.

Reproduction

To reproduce this vulnerability, an authenticated session is required, with access to the affected module. Once logged in, the vulnerability can be exploited by sending a GET request to confronta_righe.php with a crafted righe parameter that includes SQL injection payloads. The injection can be verified by extracting database information, such as MySQL version or user credentials, which will be returned in the response, indicating successful exploitation.

Remediation

The vulnerability has been fixed in OpenSTAManager version 2.10.2. Users are advised to update to this version. For those who cannot update, the vulnerability can be mitigated by manually sanitizing and parameterizing the righe input before using it in SQL queries.