CVE-2018-25387
Description
HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft malicious forms targeting the aksi_user.php script with parameters like id_user, password, and level to modify admin credentials without authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HaPe PKH 1.1 is vulnerable to cross-site request forgery, allowing an attacker to silently change the administrator password via a forged POST request.
Vulnerability
HaPe PKH version 1.1 contains a cross-site request forgery (CSRF) vulnerability in the aksi_user.php script. The endpoint admin/modul/mod_user/aksi_user.php?module=user&act=update accepts POST requests without any anti-CSRF token or origin validation. An attacker can craft a form with parameters id_user, password, and level to update the administrator account without needing any prior authentication or authorization [2][3]. The application is based on PHP and uses a SQL database, as described on its SourceForge project page [1].
Exploitation
An attacker only needs to trick an authenticated administrator into visiting a malicious page or submitting a crafted form while the admin's session is active. No additional network position or authentication is required because the vulnerable endpoint does not verify the request origin or enforce any session-based token [2]. The PoC demonstrates a simple HTML form that automatically submits a POST request to the target URL with attacker-controlled values for id_user (set to 1 for the admin), password, and level [2].
Impact
Successful exploitation allows the attacker to change the administrator password, thereby gaining full administrative control over the HaPe PKH application. This leads to complete compromise of the application's confidentiality, integrity, and availability, as the attacker can then manage all users, data, and settings [2][3].
Mitigation
No official patch or fixed version has been released by the vendor. The project's SourceForge page indicates it is at version 1.0 and further development is planned, but no update addressing this CSRF issue is available as of the publication date [1]. The recommended workaround is to implement anti-CSRF tokens in all state-changing requests and validate the Referer header. Until a patch is provided, administrators should review active sessions and avoid clicking untrusted links while logged in [3].
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF protection on the user update endpoint allows an attacker to forge password-change requests."
Attack vector
An attacker crafts a malicious HTML form that submits a POST request to `aksi_user.php?module=user&act=update` with `id_user=1`, a new `password`, and `level=admin`. If a logged-in administrator visits the attacker's page, the form auto-submits (or is submitted via social engineering) and changes the admin password without the admin's consent [ref_id=1]. No authentication token or CSRF token is checked, so the forged request is processed as if it came from the legitimate user.
Affected code
The vulnerability exists in `aksi_user.php` within the `admin/modul/mod_user/` directory. The script accepts POST parameters `id_user`, `password`, and `level` to update user credentials without verifying the request origin or requiring re-authentication.
What the fix does
The advisory does not include a patch. To remediate, the application should implement CSRF tokens tied to the user session, validate the HTTP Referer header, or require the current password before allowing a password change. Without such protections, any cross-origin request can modify administrator credentials.
Preconditions
- authAn administrator must be logged into the HaPe PKH application and visit a page controlled by the attacker.
- inputThe attacker must know or guess the target application's base URL (e.g., http://localhost/hape-pkh/).
- configThe application must not enforce any CSRF protection (no token, no origin/referer check).
Reproduction
1. Host the PoC HTML form from [ref_id=1] on an attacker-controlled page. 2. Ensure the form's `action` points to the victim's HaPe PKH installation (e.g., `http://victim/hape-pkh/admin/modul/mod_user/aksi_user.php?module=user&act=update`). 3. Lure an authenticated admin to visit the page; the form auto-submits or the admin clicks the submit button. 4. The admin password is changed to the value set in the form (e.g., `efe`).
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.