CVE-2018-25391

Vulnerability

HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints. The admin/modul/mod_pengurus/aksi_pengurus.php (with parameters module=pengurus&act=hapus) and admin/modul/mod_update/aksi_update.php (with parameters module=update&act=hapus) endpoints process deletions without verifying the requester's privileges. An unauthenticated attacker can delete arbitrary records by sending a crafted request specifying the target record's id. This affects all installations of HaPe PKH version 1.1 [3].

Exploitation

An attacker does not require any authentication or prior access. The attacker sends a POST or GET request to the vulnerable endpoints with the appropriate module, act, and id parameters. For example, a request to admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=hapus&id=1 would delete the pengurus record with ID 1. No user interaction or special privileges are needed [3].

Impact

Successful exploitation allows an unauthenticated attacker to delete arbitrary pengurus (administrator) and update records from the database. This can lead to loss of administrative accounts and disruption of the application's data integrity. The attacker can remove critical user records, potentially locking out legitimate administrators or corrupting the system's data [3].

Mitigation

As of the available references, no official patch has been released for HaPe PKH 1.1. The vendor's website (sitejo.id) and the SourceForge project page do not indicate a fixed version [2]. Users should consider implementing access controls at the web server level or disabling the vulnerable endpoints until a patch is provided. The application may be end-of-life or unmaintained [2][3].