CVE-2018-25389
Description
HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'nama_kelompok' POST parameter sent to lap-anggota-kelompok-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated SQL injection in HaPe PKH 1.1's 'nama_kelompok' parameter allows attackers to extract sensitive database information via blind time-based payloads.
Vulnerability
HaPe PKH version 1.1 contains an SQL injection vulnerability in the lap-anggota-kelompok-pdf.php script. The nama_kelompok POST parameter is not sanitized, allowing an attacker to inject arbitrary SQL commands [1][3]. The code path is reachable without authentication. The same vulnerability also affects the desa parameter in lap-peserta-perdesa-pdf.php and the id parameter in several admin/media.php endpoints [1].
Exploitation
An unauthenticated attacker can send a crafted HTTP POST request to lap-anggota-kelompok-pdf.php with a malicious nama_kelompok parameter that includes a SLEEP() function for time-based blind SQL injection [1][3]. No special network position or user interaction is required beyond sending the request. The attacker can infer database information by observing response delays.
Impact
Successful exploitation allows the attacker to infer and extract sensitive data from the underlying database, including user credentials, session tokens, and other application data [3]. The attacker gains read access to the entire database; the CVSS v3 base score is 8.2 (High) [1][3].
Mitigation
No official patch was published as of the release date of this advisory; the vendor's project page on SourceForge does not indicate a fixed version [2]. The application may be end-of-life or unmaintained. Sites running HaPe PKH 1.1 should remove the application from public access and migrate to an alternative solution. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in `lap-anggota-kelompok-pdf.php` allows SQL code to be injected via the `nama_kelompok` POST parameter."
Attack vector
An unauthenticated attacker sends a crafted POST request to `lap-anggota-kelompok-pdf.php` with a malicious `nama_kelompok` parameter containing a time-based blind SQL injection payload (e.g., `' AND (SELECT * FROM (SELECT(SLEEP(5)))X)-- X`) [ref_id=1]. The application does not sanitize this input, allowing the attacker to infer database contents by observing response delays. The CVSS vector confirms the attack is network-based, requires no authentication, and has low complexity [CWE-89].
Affected code
The vulnerability exists in `lap-anggota-kelompok-pdf.php`, where the `nama_kelompok` POST parameter is directly concatenated into SQL queries without sanitization or parameterization [ref_id=1]. Additional injection points are present in `lap-peserta-perdesa-pdf.php` (via the `desa` parameter) and in several `admin/media.php` endpoints (via `id` parameters) [ref_id=1].
What the fix does
The advisory does not include a published patch. To remediate, the application must use prepared statements or parameterized queries for all database interactions, and strictly validate or escape user-supplied input before including it in SQL statements [ref_id=1]. Without a fix, all injection points remain exploitable.
Preconditions
- networkThe attacker must be able to send HTTP POST requests to the vulnerable endpoint.
- authNo authentication is required; the vulnerability is accessible to unauthenticated users.
- configThe application must be running HaPe PKH version 1.1.
Reproduction
Send a POST request to `http://localhost/[PATH]/lap-anggota-kelompok-pdf.php` with the body `nama_kelompok=%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%2a%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%28%53%4c%45%45%50%28%35%29%29%29%58%29%2d%2d%20%58`. If the application pauses for approximately 5 seconds before responding, the injection is successful [ref_id=1].
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.