CVE-2018-25387: HaPe PKH 1.1 CSRF Vulnerability

CVE-2018-25387 Overview

CVE-2018-25387 is a cross-site request forgery (CSRF) vulnerability in HaPe PKH 1.1, a PHP-based application distributed through SourceForge. The flaw resides in the aksi_user.php user management endpoint, which fails to validate the origin or authenticity of state-changing requests. Attackers can craft a malicious HTML form that submits forged parameters such as id_user, password, and level to modify administrator credentials. Successful exploitation requires that an authenticated administrator visit an attacker-controlled page while logged in. The issue is classified under CWE-352: Cross-Site Request Forgery.

Critical Impact
An attacker can hijack the administrator account by tricking a logged-in admin into loading a crafted page, resulting in full takeover of the HaPe PKH application.

Affected Products

HaPe PKH version 1.1
HaPe PKH distributions available through SourceForge
Deployments referencing the vendor site Site Jo

Discovery Timeline

2026-05-29 - CVE-2018-25387 published to NVD
2026-05-29 - Last updated in NVD database

Technical Details for CVE-2018-25387

Vulnerability Analysis

The vulnerability exists in the aksi_user.php script, which handles user account updates within HaPe PKH 1.1. The endpoint accepts HTTP POST parameters that modify user records but does not verify a CSRF token, request origin, or referer header. An attacker can host an HTML form on an external site that automatically submits a forged request when an authenticated administrator visits the page. The browser attaches the administrator's session cookie, and the application processes the request as legitimate. The result is a password reset or privilege change executed under the administrator's identity. Because the application performs no secondary verification, the change takes effect immediately.

Root Cause

The root cause is missing anti-CSRF protections on the aksi_user.php endpoint. The application relies solely on session cookies for authorization, which browsers attach automatically to cross-origin requests. Without a synchronizer token, double-submit cookie, or SameSite cookie attribute, the endpoint cannot distinguish requests initiated by the legitimate user interface from those submitted by an attacker's page.

Attack Vector

Exploitation is network-based and requires no privileges on the target application. The attacker prepares a page containing a hidden form targeting aksi_user.php with parameters id_user, password, and level. The attacker then lures an authenticated administrator to the page through phishing, watering-hole attacks, or embedded content. When the form auto-submits, the administrator's browser sends the request with active session cookies, and the server updates the targeted account. See the Exploit-DB entry 45591 and the VulnCheck advisory for technical details.

Detection Methods for CVE-2018-25387

Indicators of Compromise

Unexpected password changes or privilege level modifications in the HaPe PKH user table.
HTTP POST requests to aksi_user.php with an external Referer header or missing referer.
Administrator account logins from unfamiliar IP addresses immediately after a credential update event.

Detection Strategies

Inspect web server access logs for POST requests to aksi_user.php and correlate them with the originating referer header.
Audit the user table for level field changes or password hash updates that do not align with administrative activity windows.
Deploy a web application firewall rule that flags state-changing requests to aksi_user.php lacking a valid same-origin referer.

Monitoring Recommendations

Enable verbose logging on the HaPe PKH application server, including request bodies for user management endpoints.
Alert on consecutive failed and successful administrator authentications following a recent account modification.
Track outbound links and email gateway events that may deliver CSRF lure pages to administrative users.

How to Mitigate CVE-2018-25387

Immediate Actions Required

Restrict access to the HaPe PKH administrative interface to trusted internal networks or VPN segments.
Force a password reset for all administrator accounts and review the level field of every user.
Instruct administrators to log out of HaPe PKH before browsing other web content in the same browser session.

Patch Information

No vendor patch is referenced in the NVD entry or external advisories. Organizations should treat HaPe PKH 1.1 as unmaintained and plan migration to a supported alternative. Until a patched release is available, compensating controls described below are required.

Workarounds

Place the application behind a reverse proxy that enforces strict referer or origin header validation on POST requests to aksi_user.php.
Set session cookies with the SameSite=Strict attribute to block cross-site request inclusion of credentials.
Add a server-side CSRF token check to aksi_user.php by patching the source to require a per-session nonce on all state-changing requests.

bash

# Example nginx rule blocking cross-origin POSTs to the vulnerable endpoint
location = /aksi_user.php {
    if ($request_method = POST) {
        valid_referers server_names;
        if ($invalid_referer) { return 403; }
    }
    proxy_pass http://hape_pkh_backend;
}