CVE-2018-25196

Vulnerability

Overview

ServerZilla 1.0 contains a SQL injection vulnerability in the reset.php endpoint. The email parameter is not properly sanitized before being used in database queries, allowing an unauthenticated attacker to inject arbitrary SQL commands [1][2]. The root cause is the application's failure to neutralize special elements used in SQL commands, corresponding to CWE-89 [2].

Attack

Vector

An attacker can exploit this vulnerability by sending a crafted POST request to reset.php with a malicious email parameter containing SQL operators. The provided exploit demonstrates using URL-encoded payload such as %27%20%4f%52%20%4e%4f%54%20%31%3d%31%2d%2d%20%45%66%65 (which decodes to ' OR NOT 1=1-- Efe) to manipulate the database query [1]. No authentication is required, and the attack can be performed over the network with low complexity [2].

Impact

Successful exploitation allows an attacker to bypass authentication mechanisms and extract sensitive information from the database. The CVSS v4 score indicates a high impact on confidentiality (VC:H) and a low impact on integrity (VI:L) [2]. An attacker could potentially read arbitrary data from the application's database, including user credentials and other confidential records.

Mitigation

As of the publication date (2026-03-06), no patched version has been released for ServerZilla 1.0. The exploit has been publicly available since November 2018 [1]. Users should consider migrating to an alternative solution or implementing input validation and parameterized queries to mitigate the risk.