Critical Time-Based Blind SQL Injection vulnerability affecting multiple search modules in OpenSTAManager v2.9.8 allows authenticated attackers to extract sensitive database contents including password hashes, customer data, and financial records through time-based Boolean inference attacks with amplified execution across 10+ modules.
Status: ✅ Confirmed and tested on live instance (v2.9.8)
Vulnerable Parameter: term (GET)
Affected Endpoint: /ajax_search.php
Affected Modules: Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, Interventi
OpenSTAManager v2.9.8 contains a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.
Vulnerability Chain:
Entry Point: /ajax_search.php (Line 30-31)
$term = get('term');
$term = str_replace('/', '\\/', $term);
The $term parameter undergoes minimal sanitization (only forward slash replacement).
Distribution: /src/AJAX.php::search() (Line 159-161)
$files = self::find('ajax/search.php');
array_unshift($files, base_dir().'/ajax_search.php');
foreach ($files as $file) {
$module_results = self::getSearchResults($file, $term);
The unsanitized $term is passed to all module-specific search handlers.
Execution: /src/AJAX.php::getSearchResults() (Line 373)
require $file;
Each module's search.php file is included with $term variable in scope.
Vulnerable SQL Queries: Multiple modules directly concatenate $term without prepare()
All Affected Files (10+ vulnerable instances):
/modules/articoli/ajax/search.php...Exploitability
AV:NAC:LAT:NPR:LUI:NVulnerable System
VC:HVI:HVA:HSubsequent System
SC:NSI:NSA:N8.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N