CVE-2018-18486

Vulnerability

An SQL injection vulnerability exists in PHPSHE version 1.7. The issue is located in the admin panel's user deletion functionality, triggered via the admin.php?mod=user&act=del endpoint. The user_id[] parameter is not properly sanitized before being used in SQL queries, allowing an authenticated administrator to inject arbitrary SQL code. This flaw is present in the PHP code handling batch user deletion in the administrative interface [1].

Exploitation

An attacker must possess valid administrative credentials to access the vulnerable admin panel. After logging in, the attacker sends a crafted POST request to admin.php?mod=user&act=del with a malicious user_id[] value. For example, appending a SQL payload such as 1 or 1=1 to the parameter can manipulate the query. The injection occurs due to insufficient input validation before the value is concatenated into the SQL statement [1].

Impact

Successful exploitation allows an authenticated attacker to extract sensitive data from the database, including potentially other administrators' credentials and user information. The attacker can also modify or delete arbitrary database records, leading to information disclosure, data integrity loss, and potential elevation of privileges within the application [1].

Mitigation

As of the available references, no official patch or fixed version has been released by the vendor for PHPSHE 1.7. The vulnerability was reported to the project's repository in 2018, but no fix was provided. Users should restrict access to the admin panel to trusted personnel and ensure the application is updated to a later version if available. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].