CVE-2018-25433: JE Photo Gallery SQL Injection Vulnerability

CVE-2018-25433 Overview

CVE-2018-25433 is an SQL injection vulnerability [CWE-89] in the Joomla extension JE Photo Gallery version 1.1. The flaw resides in the com_jephotogallery component, which fails to sanitize the categoryid parameter before incorporating it into backend database queries. Unauthenticated attackers can send crafted GET requests to index.php and inject arbitrary SQL syntax. Successful exploitation allows extraction of sensitive database content, including Joomla administrative usernames and password hashes. The vulnerability requires no authentication, no user interaction, and is reachable over the network.

Critical Impact

Remote, unauthenticated attackers can exfiltrate Joomla credential hashes and arbitrary database contents via a single crafted HTTP request.

Affected Products

• Joomla Component JE Photo Gallery 1.1 (com_jephotogallery)
• Joomla installations distributing the JE PhotoGallery extension from joomlaextensions.co.in
• Any Joomla site exposing the vulnerable categoryid parameter

Discovery Timeline

• 2026-06-01 - CVE-2018-25433 published to NVD
• 2026-06-02 - Last updated in NVD database

Technical Details for CVE-2018-25433

Vulnerability Analysis

The JE Photo Gallery extension exposes a category browsing endpoint reachable through Joomla's index.php router with option=com_jephotogallery. The component reads the categoryid query parameter and concatenates it directly into an SQL statement executed against the Joomla database. Because the parameter is not cast to an integer or bound as a prepared parameter, attackers can append arbitrary SQL clauses such as UNION SELECT to retrieve data from any table the database user can access. Public exploitation guidance lists targeting the #__users table to dump username and password columns, which contain bcrypt-hashed administrator credentials. Offline cracking of recovered hashes can then yield administrative access to the Joomla site.

Root Cause

The root cause is improper neutralization of special elements used in an SQL command [CWE-89]. The categoryid parameter is treated as trusted input and inserted into a query string without parameterization, input validation, or type coercion. Joomla's database abstraction layer provides safe binding methods, but the extension bypasses them.

Attack Vector

The attack vector is network-based and unauthenticated. An attacker issues an HTTP GET request to the vulnerable Joomla endpoint with a malicious payload appended to the categoryid parameter. The request follows the pattern index.php?option=com_jephotogallery&controller=jephotogallery&view=...&categoryid=<payload>, where <payload> contains injected SQL such as a UNION clause selecting credential columns. Refer to Exploit-DB #45930 and the VulnCheck Advisory on Joomla SQL Injection for the documented request structure.

Detection Methods for CVE-2018-25433

Indicators of Compromise

• HTTP requests to index.php containing option=com_jephotogallery combined with SQL keywords such as UNION, SELECT, CONCAT, or information_schema in the categoryid parameter.
• Web server access logs showing unusually long categoryid values, URL-encoded quotes (%27), or comment markers (--, #, /*).
• Database query logs containing SELECT statements referencing #__users, password, or session columns originating from the photo gallery component.
• Unexpected outbound queries returning large result sets to anonymous web sessions.

Detection Strategies

• Deploy web application firewall (WAF) rules that inspect the categoryid parameter for SQL metacharacters and known injection signatures.
• Enable Joomla and database query auditing to correlate inbound HTTP requests with SQL statements executed against the credentials table.
• Hunt historic web logs for requests matching the Exploit-DB #45930 payload pattern targeting com_jephotogallery.

Monitoring Recommendations

• Monitor authentication logs for password spraying or successful logins following suspected hash exfiltration.
• Alert on any HTTP 200 response to a com_jephotogallery request whose body length deviates significantly from baseline.
• Track database user activity for unexpected access to the #__users table from the web application account.

How to Mitigate CVE-2018-25433

Immediate Actions Required

• Disable or uninstall the JE Photo Gallery 1.1 extension from all Joomla installations until a fixed release is verified.
• Force a password reset for all Joomla administrator and privileged user accounts in case credential hashes were exposed.
• Review web server access logs for prior exploitation attempts against com_jephotogallery and treat matches as confirmed credential compromise.

Patch Information

No vendor patch is referenced in the published advisory. The extension is distributed from joomlaextensions.co.in, and administrators should consult the vendor directly for a fixed build. Until a verified update is available, removing the component is the only reliable remediation. Additional technical context is available in the VulnCheck Advisory on Joomla SQL Injection.

Workarounds

• Block requests to index.php containing option=com_jephotogallery at the WAF or reverse proxy layer.
• Enforce strict integer validation on the categoryid parameter via WAF rules, rejecting any non-numeric values.
• Restrict the Joomla database account's privileges so the web application cannot read the #__users table beyond required columns.
• Place the affected Joomla site behind authentication or IP allow-listing during incident response.

# Example ModSecurity rule blocking SQLi attempts against com_jephotogallery
SecRule ARGS:categoryid "!@rx ^[0-9]+$" \
    "id:1002543,phase:2,deny,status:403,\
    msg:'CVE-2018-25433 JE Photo Gallery categoryid non-integer input',\
    tag:'CWE-89',tag:'joomla'"