CVE-2018-25405 Overview
CVE-2018-25405 is a SQL injection vulnerability in eNdonesia Portal 8.7, a PHP-based content management portal. The flaw resides in mod.php and affects multiple request parameters including artid, cid, did, contid, and aboutid. Unauthenticated remote attackers can inject arbitrary SQL through these parameters to read sensitive database contents. Confirmed extraction targets include database usernames, schema names, and version information. The weakness is classified as [CWE-89] Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Unauthenticated attackers can issue arbitrary SQL queries against the backend database through mod.php, exposing credentials, schema details, and stored content without any user interaction.
Affected Products
- eNdonesia Portal 8.7
- The vulnerable component is the mod.php script
- Distributions available through the eNdonesia project SourceForge release
Discovery Timeline
- 2026-05-30 - CVE-2018-25405 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2018-25405
Vulnerability Analysis
The vulnerability exists in mod.php, the central module dispatcher in eNdonesia Portal 8.7. The script accepts user-supplied parameters and concatenates them directly into SQL statements without parameterization or sanitization. Attackers reach the vulnerable code paths via standard HTTP GET requests, requiring no authentication or user interaction. Successful exploitation discloses information from any table accessible to the database account used by the application.
Because the application uses a single database role for all queries, an attacker can pivot from one injectable parameter to enumerate the entire schema. Standard UNION SELECT payloads return values such as user(), database(), and version() directly in the rendered page. The Exploit-DB entry #45654 documents working payloads against the affected parameters.
Root Cause
The root cause is improper neutralization of special elements used in SQL commands [CWE-89]. The mod.php handler interpolates the artid, cid, did, contid, and aboutid query string values into SQL strings before they are passed to the database driver. No prepared statements, type casting, or input filtering are applied, so quote characters and SQL keywords reach the database engine intact.
Attack Vector
Exploitation is performed over the network against the public-facing portal. An attacker issues a crafted GET request such as a request to mod.php with an injected UNION SELECT payload appended to the artid, cid, did, contid, or aboutid parameter. The portal returns query output inline, enabling efficient in-band extraction of arbitrary data. See the VulnCheck SQL Injection Advisory and Exploit-DB #45654 for the documented request structure.
Detection Methods for CVE-2018-25405
Indicators of Compromise
- Web server access logs containing requests to /mod.php with SQL keywords such as UNION, SELECT, information_schema, 0x, or -- in the artid, cid, did, contid, or aboutid parameters.
- HTTP requests to mod.php exhibiting URL-encoded quote characters (%27), comment sequences (%23, --), or sleep-based payloads (SLEEP(, BENCHMARK().
- Database error messages or unexpected user(), database(), or @@version output appearing in cached HTML responses.
Detection Strategies
- Deploy web application firewall (WAF) signatures that match SQL injection patterns against query strings targeting mod.php.
- Enable database query logging and alert on UNION SELECT statements originating from the portal's database account against system tables.
- Correlate HTTP 200 responses to mod.php containing strings that resemble database identifiers (for example MySQL user() output formatted as user@host).
Monitoring Recommendations
- Forward web server and database logs to a centralized analytics platform and build queries for SQL injection signatures on portal endpoints.
- Monitor outbound connections from the web server for unexpected data egress that could indicate post-exploitation data exfiltration.
- Track changes in database user privileges and creation of new accounts that could indicate a successful injection campaign.
How to Mitigate CVE-2018-25405
Immediate Actions Required
- Restrict public access to mod.php or take affected eNdonesia Portal 8.7 instances offline until a remediation path is established.
- Apply a WAF rule that blocks non-numeric input on the artid, cid, did, contid, and aboutid parameters.
- Rotate database credentials used by the application and audit the database for unauthorized changes.
Patch Information
No vendor patch is referenced in the available advisories. The eNdonesia project distributes releases through its SourceForge download page. Operators should monitor the Endonesia Project Homepage for updates and consider migrating to an actively maintained CMS given the long-standing nature of this issue.
Workarounds
- Place the application behind a WAF and enforce strict allowlists that accept only integer values for artid, cid, did, contid, and aboutid.
- Reduce the database account's privileges to the minimum required, denying access to information_schema and unrelated schemas.
- Disable verbose database error reporting in the PHP runtime to limit information returned to attackers on failed injections.
# Example WAF rule restricting mod.php parameters to integers (ModSecurity)
SecRule REQUEST_URI "@beginsWith /mod.php" \
"id:1002501,phase:2,deny,status:403,\
chain,msg:'Block non-integer values on eNdonesia mod.php parameters'"
SecRule ARGS:artid|ARGS:cid|ARGS:did|ARGS:contid|ARGS:aboutid \
"!@rx ^[0-9]+$"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
