CVE-2018-25407: eNdonesia Portal SQL Injection Flaw

CVE-2018-25407 Overview

CVE-2018-25407 affects eNdonesia Portal version 8.7, a content management system distributed through SourceForge. The vulnerability consists of multiple SQL injection flaws in mod.php that accept unsanitized user input through the artid, cid, did, contid, and aboutid parameters. Unauthenticated attackers can inject arbitrary SQL queries against the publisher, diskusi, galeri, content, and about modules. Successful exploitation enables extraction of database contents including usernames, database names, and version information. The flaw is categorized under CWE-89: Improper Neutralization of Special Elements used in an SQL Command.

Critical Impact

Unauthenticated network attackers can extract sensitive database content from any internet-accessible eNdonesia Portal 8.7 installation without user interaction.

Affected Products

• eNdonesia Portal 8.7
• Installations downloaded from the Endonesia SourceForge project
• Deployments referenced on the Endonesia Official Website

Discovery Timeline

• 2026-05-30 - CVE-2018-25407 published to NVD
• 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2018-25407

Vulnerability Analysis

The vulnerability is a set of pre-authentication SQL injection flaws reachable through the single entry point mod.php. The application concatenates HTTP GET parameters directly into SQL statements without parameterization or input validation. An attacker controls portions of the query executed against the backend database engine.

Five parameters are confirmed injection points: artid in the publisher module, cid in the diskusi module, did in the galeri module, contid in the content module, and aboutid in the about module. Each parameter terminates the intended query and appends attacker-supplied SQL clauses. The injection supports UNION-based extraction, enabling enumeration of user(), database(), and version() along with arbitrary table reads. Public exploitation details are available in Exploit-DB entry 45654 and the VulnCheck SQL Injection Advisory.

Root Cause

The root cause is improper neutralization of user-supplied input before its use in SQL statements [CWE-89]. The affected handlers in mod.php treat numeric identifier parameters as trusted and embed them in dynamic queries. The codebase does not use prepared statements, type casting, or allowlist validation on the affected parameters.

Attack Vector

Exploitation requires only a network path to the web application. No authentication, privileges, or user interaction are required. An attacker issues crafted HTTP GET requests to mod.php with malicious payloads in any of the five vulnerable parameters. UNION SELECT and boolean-based payloads return database metadata and stored records in HTTP responses. Public proof-of-concept payloads are documented in the referenced advisories and require no modification to extract user(), database(), and @@version from a default installation.

Detection Methods for CVE-2018-25407

Indicators of Compromise

• HTTP requests to mod.php containing SQL keywords such as UNION, SELECT, CONCAT, information_schema, or 0x hex-encoded strings in the artid, cid, did, contid, or aboutid parameters.
• Web server access log entries showing abnormally long query strings or URL-encoded single quotes (%27) targeting mod.php.
• Database error messages returned to clients referencing MySQL syntax errors originating from mod.php handlers.
• Outbound responses from the portal containing rows from information_schema.tables or mysql.user.

Detection Strategies

• Deploy web application firewall signatures for SQL injection patterns against the specific parameters and module names enumerated in this CVE.
• Enable database query logging and alert on queries containing UNION SELECT originating from the eNdonesia application user.
• Hunt historical access logs for requests matching mod.php?mod=(publisher|diskusi|galeri|content|about) paired with suspicious parameter values.

Monitoring Recommendations

• Forward web server and database logs to a centralized analytics platform and create correlations between anomalous mod.php requests and subsequent database errors.
• Baseline normal traffic to the affected modules and alert on parameter values that deviate from expected integer formats.
• Monitor for data egress spikes from the web server following requests matching the injection signatures.

How to Mitigate CVE-2018-25407

Immediate Actions Required

• Restrict public access to eNdonesia Portal 8.7 installations until a vendor fix is verified, using network ACLs or authentication proxies.
• Deploy WAF rules that reject non-numeric values in the artid, cid, did, contid, and aboutid parameters of mod.php.
• Audit the database account used by the portal and remove privileges beyond what the application requires, eliminating FILE, SUPER, and cross-database access.
• Review web and database logs for prior exploitation attempts using the indicators listed above.

Patch Information

No vendor patch is referenced in the NVD record or linked advisories at the time of publication. Operators should consult the Endonesia Official Website and the VulnCheck SQL Injection Advisory for any subsequent fix availability. If no upstream patch is released, migrating to a maintained CMS is recommended.

Workarounds

• Place the application behind a reverse proxy that enforces strict integer validation on the affected query string parameters.
• Apply custom source-code patches in mod.php to cast each identifier parameter using intval() before use in SQL statements.
• Run the MySQL backend with a least-privilege account that has no read access to information_schema beyond the application schema.
• Disable unused modules among publisher, diskusi, galeri, content, and about to reduce the attack surface.

# Example WAF rule (ModSecurity) to block non-numeric values in vulnerable parameters
SecRule ARGS:artid|ARGS:cid|ARGS:did|ARGS:contid|ARGS:aboutid "!@rx ^[0-9]+$" \
    "id:1002018,\
     phase:2,\
     deny,\
     status:403,\
     msg:'CVE-2018-25407 eNdonesia mod.php SQLi parameter rejected'"