CVE-2018-25390: HaPe PKH SQL Injection Vulnerability

CVE-2018-25390 Overview

CVE-2018-25390 is a SQL injection vulnerability [CWE-89] affecting HaPe PKH version 1.1, a web application distributed through SourceForge. The flaw resides in the lap-peserta-perdesa-pdf.php script, which fails to sanitize user-supplied input passed through the desa POST parameter. Unauthenticated remote attackers can inject SQL syntax into backend database queries to extract sensitive data using time-based blind techniques. Public exploit code for this issue is documented in Exploit-DB entry 45588.

Critical Impact
Unauthenticated attackers can extract confidential database contents through a network-accessible SQL injection in the desa POST parameter, requiring no user interaction.

Affected Products

HaPe PKH 1.1
Distributed via SourceForge (hape-pkh)
Published by SiteJo

Discovery Timeline

2026-05-29 - CVE-2018-25390 published to the National Vulnerability Database (NVD)
2026-05-29 - Last updated in NVD database

Technical Details for CVE-2018-25390

Vulnerability Analysis

The vulnerability exists in the server-side PHP script lap-peserta-perdesa-pdf.php, which generates PDF reports filtered by a village identifier supplied in the desa POST parameter. The application concatenates this user input directly into a SQL statement without parameterized queries or input validation. Attackers can append arbitrary SQL clauses that the database executes with the privileges of the application's database user.

Because the injection point does not return query output directly in the HTTP response, attackers rely on time-based blind techniques. Functions such as SLEEP() or BENCHMARK() allow inference of data character-by-character based on observable response delays. This approach enables full extraction of database schemas, credentials, and stored records over repeated requests.

Root Cause

The root cause is improper neutralization of special elements used in an SQL command [CWE-89]. The application accepts the desa POST parameter and embeds it into a SQL query without prepared statements, type casting, or sanitization. Any attacker capable of reaching the affected endpoint can alter the query's logic.

Attack Vector

Exploitation requires only HTTP access to the vulnerable endpoint. The attacker submits a POST request to lap-peserta-perdesa-pdf.php with a crafted desa value containing SQL syntax. No authentication, user interaction, or local access is required. The Exploit-DB proof of concept demonstrates extraction using a time-based blind payload that injects conditional SLEEP statements to enumerate database contents.

For technical details, see the Exploit-DB #45588 entry and the VulnCheck SQL Injection Advisory.

Detection Methods for CVE-2018-25390

Indicators of Compromise

POST requests to lap-peserta-perdesa-pdf.php containing SQL keywords such as SLEEP, BENCHMARK, UNION, SELECT, or -- in the desa parameter
Repeated requests from a single source with response times that scale linearly with payload values, indicating time-based blind enumeration
Web server access logs showing unusually long URL-encoded payloads in POST bodies targeting the desa field
Database error entries or query timeouts originating from the HaPe PKH application user

Detection Strategies

Deploy web application firewall (WAF) signatures that flag SQL metacharacters and time-delay functions in POST parameters
Inspect HTTP server logs for anomalous request durations to lap-peserta-perdesa-pdf.php
Correlate database slow-query logs with application access logs to identify injection attempts

Monitoring Recommendations

Enable verbose query logging on the backend database and alert on SLEEP, BENCHMARK, or INFORMATION_SCHEMA references
Monitor outbound data volumes from the application server for signs of staged exfiltration
Establish baseline response-time metrics for the affected endpoint and alert on sustained deviations

How to Mitigate CVE-2018-25390

Immediate Actions Required

Restrict network access to the HaPe PKH application using firewall rules or reverse-proxy authentication until a vendor fix is verified
Block requests to lap-peserta-perdesa-pdf.php containing SQL syntax through WAF rules
Audit the database for unauthorized read activity and rotate any credentials stored within the application schema

Patch Information

No vendor patch is referenced in the NVD entry or associated advisories. Organizations using HaPe PKH 1.1 should consult the SiteJo Homepage and the SourceForge project page for newer releases. If no fixed version is available, plan to retire or replace the application.

Workarounds

Place the application behind an authenticating reverse proxy to prevent unauthenticated access to vulnerable endpoints
Apply WAF rules that reject POST parameters containing SQL keywords or time-delay functions
If source code modification is feasible, replace string concatenation in lap-peserta-perdesa-pdf.php with parameterized queries using PDO or MySQLi prepared statements
Enforce least-privilege permissions on the database account used by the application to limit data accessible through injection

bash

# Example ModSecurity rule to block SQL injection patterns in the desa parameter
SecRule ARGS:desa "@rx (?i)(sleep\(|benchmark\(|union\s+select|--|;)" \
    "id:1002518,phase:2,deny,status:403,log,\
     msg:'CVE-2018-25390 HaPe PKH SQLi attempt blocked'"