CVE-2018-25386
Description
HaPe PKH 1.1 contains multiple SQL injection vulnerabilities in admin/media.php that allow attackers to manipulate database queries by injecting SQL code through the 'id' parameter. An unauthenticated attacker can exploit the desa module (module=desa&act=hapus), while authenticated users can exploit the pengurus, fasilitas, and kelompok modules (for example act=print, act=editpengurus, act=editfasilitas, and act=editkelompok). Successful exploitation allows extraction of sensitive database information including the current user, database name, and DBMS version.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HaPe PKH 1.1 has SQL injection in admin/media.php via 'id' parameter, allowing unauthenticated and authenticated attacks to extract database info.
Vulnerability
HaPe PKH 1.1 contains multiple SQL injection vulnerabilities in admin/media.php. The id parameter is not sanitized, allowing SQL code injection. Unauthenticated attackers can exploit the desa module (module=desa&act=hapus), while authenticated users can exploit pengurus, fasilitas, and kelompok modules (e.g., act=print, act=editpengurus, act=editfasilitas, act=editkelompok) [1][3].
Exploitation
An attacker sends HTTP GET requests to admin/media.php with malicious SQL in the id parameter. For unauthenticated exploitation, the desa module with act=hapus is used. For authenticated users, modules like pengurus with act=print or act=editpengurus are targeted. Proof-of-concept payloads are publicly available [1]. No authentication is required for the desa module; for other modules, the attacker must be logged in.
Impact
Successful SQL injection allows extraction of sensitive database information, including the current database user, database name, and DBMS version [1][3]. This information could be leveraged for further attacks if credentials are exposed.
Mitigation
No official patch has been released; the vendor appears inactive [2]. As a workaround, administrators should sanitize all user input to the id parameter and restrict access to admin/media.php. The software may be end-of-life. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `id` parameter in `admin/media.php` is directly concatenated into SQL queries without sanitization or parameterization, enabling SQL injection."
Attack vector
An unauthenticated attacker can inject SQL via the `id` parameter in `admin/media.php?module=desa&act=hapus&id=[SQL]` [ref_id=1]. Authenticated users can exploit the same parameter in the `pengurus`, `fasilitas`, and `kelompok` modules (e.g., `act=print`, `act=editpengurus`, `act=editfasilitas`, `act=editkelompok`) [ref_id=1]. The payloads use UNION SELECT and CONCAT_WS to extract the current database user, database name, and DBMS version [ref_id=1].
Affected code
The vulnerability resides in `admin/media.php` and related action files such as `admin/modul/mod_pengurus/aksi_pengurus.php`. The `id` parameter is passed unsanitized into SQL queries across multiple modules (`desa`, `pengurus`, `fasilitas`, `kelompok`) and actions (`hapus`, `print`, `editpengurus`, `editfasilitas`, `editkelompok`).
What the fix does
The advisory does not include a patch. To remediate, the application must use parameterized queries or prepared statements for all `id` parameter values, and apply strict input validation (e.g., rejecting non-numeric values where integers are expected).
Preconditions
- authNo authentication required for the desa/hapus injection point
- authAuthentication required for pengurus, fasilitas, and kelompok injection points
- networkAttacker must be able to send HTTP requests to the vulnerable endpoints
- inputThe `id` parameter is user-controlled and not sanitized
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.