CVE-2018-25386 Overview
CVE-2018-25386 identifies multiple SQL injection vulnerabilities in HaPe PKH 1.1, a PHP-based village administration application distributed through SourceForge. The flaws reside in admin/media.php, where the id parameter is concatenated into SQL queries without sanitization [CWE-89]. An unauthenticated attacker can reach the vulnerable code path through the desa module using module=desa&act=hapus. Authenticated users can trigger the same class of injection through the pengurus, fasilitas, and kelompok modules via actions such as act=print, act=editpengurus, act=editfasilitas, and act=editkelompok.
Critical Impact
Successful exploitation lets attackers read the current database user, database name, DBMS version, and other sensitive data from the backend store.
Affected Products
- HaPe PKH 1.1 (distributed via SourceForge)
- Deployments exposing admin/media.php to the network
- Installations using the desa, pengurus, fasilitas, or kelompok modules
Discovery Timeline
- 2026-05-29 - CVE-2018-25386 published to NVD
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2018-25386
Vulnerability Analysis
The vulnerability is a classic SQL injection in admin/media.php. The script reads the id parameter from the request and embeds it directly into SQL statements without parameterization or type casting. Each affected module action constructs its own query against the database, so the injection point is reachable through several distinct URLs.
The desa module path module=desa&act=hapus does not enforce authentication, which makes the most severe variant remotely exploitable without credentials. The pengurus, fasilitas, and kelompok actions require a valid session but accept the same tainted id value.
Because the queries return data that is reflected or processed in the response, attackers can use UNION-based or error-based techniques to extract metadata such as current_user(), database(), and version(). The Exploit-DB entry #45588 documents working payloads against the affected endpoints.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command [CWE-89]. The application concatenates user input from the id query parameter into SQL strings instead of using prepared statements or input validation. No allowlist, type enforcement, or escaping is applied before the value reaches the database driver.
Attack Vector
The attack vector is network-based and requires no user interaction. An unauthenticated attacker sends a crafted HTTP GET request to admin/media.php with module=desa&act=hapus&id=<payload>. Authenticated paths follow the same pattern but target the pengurus, fasilitas, or kelompok modules. Tools such as sqlmap can automate enumeration and data extraction against any of these endpoints.
No verified code examples are published in the enriched data for this CVE. Refer to the Exploit-DB #45588 entry and the VulnCheck Advisory for payload details.
Detection Methods for CVE-2018-25386
Indicators of Compromise
- HTTP requests to admin/media.php containing SQL metacharacters such as ', UNION, SELECT, --, or /* in the id parameter.
- Access patterns matching module=desa&act=hapus from unauthenticated sources.
- Web server or PHP error logs referencing SQL syntax errors originating from admin/media.php.
- Database audit logs showing calls to version(), database(), or current_user() from the application service account.
Detection Strategies
- Inspect web access logs for query strings targeting admin/media.php with non-numeric values in the id parameter.
- Deploy web application firewall (WAF) rules that flag SQL injection signatures on the desa, pengurus, fasilitas, and kelompok module endpoints.
- Correlate spikes in 500-series responses from admin/media.php with database error messages.
Monitoring Recommendations
- Forward web server, PHP, and database logs to a central analytics platform for retrospective hunting.
- Alert on UNION SELECT, sleep-based, or boolean-based injection patterns against any administrative PHP endpoint.
- Track outbound connections from the database host that could indicate post-exploitation data exfiltration.
How to Mitigate CVE-2018-25386
Immediate Actions Required
- Restrict network access to admin/ paths using IP allowlisting or VPN until a fix is in place.
- Place the application behind a WAF with SQL injection rules enabled in blocking mode.
- Audit database accounts used by the application and remove unnecessary privileges such as FILE or schema-wide read access.
- Review historical web logs for prior exploitation attempts against admin/media.php.
Patch Information
No official vendor patch is referenced in the available advisory data. HaPe PKH 1.1 is distributed through SourceForge; operators should monitor the project page for updated releases and consult the VulnCheck Advisory for status changes.
Workarounds
- Modify admin/media.php to validate that the id parameter is an integer before use, for example with intval() or filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT).
- Refactor affected queries to use PDO prepared statements or mysqli parameterized queries instead of string concatenation.
- Require authentication on the desa module action act=hapus to remove the unauthenticated attack path.
- Disable or remove unused modules among desa, pengurus, fasilitas, and kelompok if they are not required.
# Example WAF rule (ModSecurity) blocking SQLi on admin/media.php
SecRule REQUEST_URI "@contains /admin/media.php" \
"phase:2,chain,deny,status:403,id:1002501,msg:'HaPe PKH SQLi attempt'"
SecRule ARGS:id "@detectSQLi" "t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
