CVE-2018-25388
Description
HaPe PKH 1.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by bypassing file type validation. Attackers can upload PHP files through multiple endpoints including aksi_foto.php, aksi_user.php, and aksi_kecamatan.php to execute arbitrary code on the server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HaPe PKH 1.1 has an arbitrary file upload vulnerability allowing authenticated attackers to bypass file type validation and execute arbitrary code on the server.
Vulnerability
HaPe PKH 1.1 suffers from an arbitrary file upload vulnerability [1][3]. The application fails to properly validate file types in multiple endpoints, including aksi_foto.php, aksi_user.php, and aksi_kecamatan.php. This allows authenticated attackers with a valid session to upload PHP files (e.g., Shell.php) instead of the expected image files. The uploaded files are stored in accessible paths such as gambar-konten/ directory, where they become executable. The software version affected is 1.1 (and possibly earlier versions as the project is a continuation of SIM-PKH 2.5) [2].
Exploitation
An attacker must first obtain valid authentication credentials for the admin panel. The exploit requires no special network position beyond normal web access. Exploitation steps involve intercepting the file upload request (e.g., via the form posted to aksi_foto.php) and substituting the file with a PHP shell. As demonstrated in the proof of concept, the attacker can then access the shell via a path like http://localhost/[PATH]/gambar-konten/9Shell.php [1]. Multiple upload endpoints (aksi_foto.php, aksi_user.php, aksi_kecamatan.php) provide alternative vectors.
Impact
Successful exploitation results in arbitrary code execution on the server. The attacker gains the ability to execute PHP commands in the context of the web server, potentially leading to full compromise of the application, modification or exfiltration of data, and further attacks against the underlying system.
Mitigation
As of the available references, no official patch has been released. The vendor homepage (sitejo.id) and the SourceForge project page [2] indicate that further development may occur, but no fixed version is mentioned. In the absence of a patch, administrators should restrict access to the admin panel, implement strong authentication, and apply input validation and file extension whitelisting on all upload endpoints. The CVE is not listed in the KEV catalog.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing file type validation in image upload functionality allows arbitrary file upload."
Attack vector
An authenticated attacker submits a crafted HTTP POST request to one of the three vulnerable endpoints, uploading a PHP web shell instead of a legitimate image file. The server stores the uploaded file under `gambar-konten/` without verifying its MIME type or extension. The attacker then accesses the uploaded shell directly via its URL to execute arbitrary PHP code on the server. No special network position is required beyond network access to the web application.
Affected code
The vulnerability exists in three admin module endpoints: `aksi_foto.php`, `aksi_user.php`, and `aksi_kecamatan.php`. These scripts accept file uploads but fail to validate that the uploaded file is actually an image, allowing arbitrary file types such as `.php` to be stored in the `gambar-konten/` directory.
What the fix does
The advisory does not include a patch. To remediate, the application must validate uploaded files by checking both the file extension (e.g., only allow `.jpg`, `.png`, `.gif`) and the actual MIME content type on the server side. Uploaded files should also be stored outside the web root or served with a non-executable Content-Type header to prevent code execution.
Preconditions
- authAttacker must have a valid authenticated session (e.g., admin-level credentials) to access the admin module endpoints.
- configThe web server must be configured to execute PHP files stored in the upload directory.
Reproduction
1. Log in to the HaPe PKH admin panel. 2. Prepare a PHP web shell (e.g., `Shell.php`) containing `<?php system($_GET['cmd']); ?>`. 3. Submit the shell via the form at `admin/modul/mod_pengurus/aksi_foto.php?module=pengurus&act=input` using the `fupload` field. 4. Access the uploaded shell at `http://localhost/hape-pkh/gambar-konten/9Shell.php` (or the filename assigned by the application). 5. Execute commands by appending `?cmd=id` to the shell URL.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.