CVE-2025-44203 Overview
CVE-2025-44203 affects HotelDruid 3.0.7, a property management web application from Digitaldruid. The vulnerability resides in creadb.php, the database creation endpoint exposed before initial setup is complete. An unauthenticated attacker can send malformed POST requests to this endpoint and trigger verbose SQL error messages. These errors disclose the administrator username, password hash, and salt. The same malformed requests can leave the application in a state that blocks legitimate administrator logins, producing a denial-of-service condition. The flaw is categorized under [CWE-209: Information Exposure Through an Error Message].
Critical Impact
Unauthenticated attackers can extract administrator credential material and prevent administrator login on HotelDruid 3.0.7.
Affected Products
- Digitaldruid HotelDruid 3.0.0
- Digitaldruid HotelDruid 3.0.7
- HotelDruid deployments exposing creadb.php prior to database creation
Discovery Timeline
- 2025-06-20 - CVE-2025-44203 published to NVD
- 2025-06-26 - Last updated in NVD database
Technical Details for CVE-2025-44203
Vulnerability Analysis
The vulnerability is an information disclosure flaw triggered by SQL error handling in creadb.php. This endpoint is reachable before an administrator presses the create database button during initial setup. The application returns raw SQL error output in HTTP responses when it receives malformed POST parameters. The error text includes fragments of internal queries that reference the administrator account row, exposing the stored username, password hash, and salt. An attacker with the hash and salt can run offline password cracking against the credential, bypassing rate limits and authentication telemetry. The secondary impact is denial of service: certain malformed requests corrupt application state and block subsequent administrator logins even with valid credentials. The Exploit Prediction Scoring System (EPSS) lists this CVE at 0.082%.
Root Cause
The root cause is improper error handling combined with missing authentication on a setup endpoint. creadb.php executes database queries using attacker-controlled input and returns database driver errors directly to the client. Sensitive query fragments and stored values appear inside those error strings, violating least-privilege output handling principles described in [CWE-209].
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends crafted POST requests to the creadb.php endpoint of an internet-exposed HotelDruid 3.0.7 instance. The malformed parameters force the backend into error paths that echo SQL details. A proof-of-concept is published in the GitHub PoC Repository maintained by the reporter.
No verified exploit code is included here. Refer to the linked PoC repository for request structure and reproduction steps.
Detection Methods for CVE-2025-44203
Indicators of Compromise
- POST requests targeting /creadb.php from external or unexpected source addresses
- HTTP 200 responses from creadb.php containing SQL error keywords such as SQLSTATE, mysqli, or Warning: PDO
- Repeated requests to creadb.php with varying parameter values consistent with parameter fuzzing
- Failed administrator logins immediately following access attempts to creadb.php
Detection Strategies
- Inspect web server access logs for any external requests to creadb.php after initial deployment; the endpoint should not be reachable post-setup
- Alert on HTTP response bodies from HotelDruid containing database error tokens such as You have an error in your SQL syntax
- Correlate creadb.php access events with administrator login failures within short time windows
Monitoring Recommendations
- Forward HotelDruid web and PHP error logs to a centralized logging platform for retention and search
- Deploy a Web Application Firewall (WAF) rule that blocks unauthenticated access to setup-only endpoints including creadb.php
- Monitor for sudden inability of the administrator to log in, which may indicate the DoS variant of this attack
How to Mitigate CVE-2025-44203
Immediate Actions Required
- Restrict network access to creadb.php using web server access controls or firewall rules limiting it to trusted setup hosts
- Remove or rename the creadb.php script after the initial database has been created
- Audit HotelDruid for unauthorized access attempts and rotate the administrator password and salt if exposure is suspected
Patch Information
No vendor advisory or fixed version is referenced in the NVD entry for CVE-2025-44203. Monitor the Hotel Druid Website for updates beyond version 3.0.7 and apply them when released.
Workarounds
- Disable PHP display_errors in production and route errors only to server-side logs
- Place HotelDruid behind a reverse proxy that strips verbose database error strings from response bodies
- Block all external traffic to setup endpoints at the WAF or ingress layer until an official patch is available
# Configuration example: disable verbose PHP errors in php.ini
display_errors = Off
log_errors = On
error_log = /var/log/php/error.log
# Nginx: deny external access to the setup endpoint
location = /creadb.php {
allow 127.0.0.1;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
