Critical Time-Based Blind SQL Injection vulnerability in the article pricing module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer data, and financial records through time-based Boolean inference attacks.
Status: ✅ Confirmed and tested on live instance (v2.9.8) end demo.osmbusiness.it (v2.9.7)
Vulnerable Parameter: idarticolo (GET)
Affected Endpoint: /ajax_complete.php?op=getprezzi
Affected Module: Articoli (Articles/Products)
OpenSTAManager v2.9.8 contains a critical Time-Based Blind SQL Injection vulnerability in the article pricing completion handler. The application fails to properly sanitize the idarticolo parameter before using it in SQL queries, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.
Vulnerability Chain:
Entry Point: /ajax_complete.php (Line 27)
$op = get('op');
$result = AJAX::complete($op);
The op parameter is retrieved but the vulnerability lies in other parameters.
Distribution: /src/AJAX.php::complete() (Line 189)
$result = self::getCompleteResults($file, $resource);
Execution: /src/AJAX.php::getCompleteResults() (Line 402)
require $file;
Module-specific complete.php files are included.
Vulnerable Parameter: /modules/articoli/ajax/complete.php (Line 26)
$idarticolo = get('idarticolo');
The idarticolo parameter is retrieved from GET request.
Vulnerable SQL Query: /modules/articoli/ajax/complete.php (Line 70) PRIMARY VULNERABILITY
FROM
`dt_righe_ddt`
INNER JOIN `dt_ddt` ON `dt_ddt`.`id` = `dt_righe_ddt`.`idddt`
INNER JOIN `dt_tipiddt` ON `dt_tipiddt`.`id` = `dt_ddt`.`idtipoddt`
WHERE
`idarticolo`='.$idarticolo.' AND...
Exploitability
AV:NAC:LAT:NPR:LUI:NVulnerable System
VC:HVI:HVA:HSubsequent System
SC:NSI:NSA:N8.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N