Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2018-25418

CVE-2018-25418: AiOPMSD Final 1.0.0 SQLi Vulnerability

CVE-2018-25418 is a SQL injection flaw in AiOPMSD Final 1.0.0 that allows unauthenticated attackers to extract sensitive database information. This article covers the technical details, attack vectors, and mitigation.

Published:

CVE-2018-25418 Overview

CVE-2018-25418 is an SQL injection vulnerability in AiOPMSD Final 1.0.0, a PHP-based management application distributed through SourceForge. The flaw resides in year.php, which fails to sanitize the year GET parameter before incorporating it into a backend SQL query. Unauthenticated attackers can send crafted HTTP GET requests that inject arbitrary SQL syntax into the query. Successful exploitation enables extraction of sensitive database content, including usernames, database names, and version metadata. The issue is tracked under CWE-89 and a public exploit is documented in Exploit-DB #45690.

Critical Impact

Unauthenticated remote attackers can read arbitrary database contents through a single crafted GET request to year.php.

Affected Products

Discovery Timeline

  • 2026-05-30 - CVE-2018-25418 published to NVD
  • 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2018-25418

Vulnerability Analysis

The vulnerability is a classic SQL injection [CWE-89] in the year.php endpoint of AiOPMSD Final 1.0.0. The script accepts a year parameter from the HTTP GET query string and concatenates the value directly into an SQL statement executed against the backing database. Because the parameter is neither validated, escaped, nor passed through parameterized statements, an attacker can break out of the intended SQL context and append arbitrary clauses such as UNION SELECT statements. No authentication is required to reach the vulnerable endpoint, so any network-reachable instance is exposed. The VulnCheck advisory confirms data exfiltration including credentials, database schema information, and DBMS version strings.

Root Cause

The root cause is unsafe string concatenation between user-controlled input and an SQL query. The year parameter flows from $_GET directly into the query without prepared statements or input filtering. Standard mitigations such as mysqli_real_escape_string or PDO bound parameters are absent.

Attack Vector

Exploitation requires only network access to the web application. An attacker issues a GET request to year.php with a crafted payload appended to the year parameter, for example a UNION-based payload that returns columns from information_schema.tables or from the application's user table. The server returns the database response within the rendered page, enabling direct extraction of records. Refer to the Exploit-DB entry #45690 for the published proof of concept.

Detection Methods for CVE-2018-25418

Indicators of Compromise

  • HTTP GET requests to /year.php containing SQL metacharacters such as ', --, UNION, SELECT, or information_schema in the year query parameter.
  • Web server access logs showing repeated requests to year.php with abnormally long or URL-encoded year values.
  • Database error messages or stack traces appearing in HTTP responses originating from year.php.

Detection Strategies

  • Deploy web application firewall signatures targeting SQL injection patterns on requests to year.php.
  • Inspect database query logs for queries referencing the year column with unexpected UNION operators or comment sequences.
  • Correlate web access logs with database authentication failures and schema enumeration queries against information_schema.

Monitoring Recommendations

  • Enable verbose logging on the web server and forward access logs to a centralized analytics platform for query parameter inspection.
  • Alert on responses from year.php whose size or content type deviates significantly from baseline.
  • Monitor outbound traffic from the application host for unusual data egress that may indicate database exfiltration.

How to Mitigate CVE-2018-25418

Immediate Actions Required

  • Restrict network access to AiOPMSD Final 1.0.0 instances using firewall rules or reverse-proxy allow lists until remediation is applied.
  • Disable or remove the year.php endpoint if it is not required for business operations.
  • Rotate database credentials used by the application and review database accounts for unauthorized changes.

Patch Information

No vendor patch is referenced in the available advisories. AiOPMSD Final 1.0.0 is distributed through the AioPMSD SourceForge project and operators should monitor that project for updated releases. Until a fix is available, the application should be considered unsafe to expose to untrusted networks.

Workarounds

  • Place the application behind a web application firewall configured to block SQL injection payloads on the year parameter.
  • Modify year.php to cast the year parameter to an integer using intval() or to validate against a numeric regular expression before use in the SQL statement.
  • Refactor the query to use prepared statements with bound parameters via PDO or mysqli to eliminate the injection sink entirely.
bash
# Example WAF rule (ModSecurity) blocking SQLi in the year parameter
SecRule ARGS:year "@rx (?i)(union|select|--|;|information_schema|sleep\()" \
    "id:1002518,phase:2,deny,status:403,msg:'CVE-2018-25418 SQLi attempt on year.php'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne