An authenticated SQL Injection vulnerability in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability enables complete database read access through error-based SQL injection techniques.
The vulnerability exists in templates/scadenzario/init.php at line 46, where the id_anagrafica parameter is directly concatenated into an SQL query without proper sanitization:
Vulnerable Code:
if (get('id_anagrafica') && get('id_anagrafica') != 'null') {
$module_query = str_replace('1=1', '1=1 AND `co_scadenziario`.`idanagrafica`="'.get('id_anagrafica').'"', $module_query);
$id_anagrafica = get('id_anagrafica');
}
The get() function retrieves user input from GET/POST parameters without validation. The parameter value is directly embedded into the SQL query string using string concatenation instead of using the application's prepare() sanitization function, enabling SQL Injection attacks.
Root Cause:
prepare() function for input sanitizationAffected Endpoint:
/pdfgen.php?ptype=scadenzario&id_anagrafica=[INJECTION_PAYLOAD]
Affected Files:
templates/scadenzario/init.php (line 46) - Primary vulnerabilitytemplates/scadenzario/init.php (lines 34, 40) - Similar pattern with date parameterspdfgen.php - Entry point for template rendering1. Confirm Vulnerability - Basic Syntax Error Test:
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20--%20
SQL syntax error displayed in application response
<img width="2195" height="392" alt="image"...
Exploitability
AV:NAC:LAT:NPR:LUI:NVulnerable System
VC:HVI:HVA:HSubsequent System
SC:NSI:NSA:N8.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N