CVE-2018-25412

Vulnerability

Delta Sql version 1.8.2 and earlier contains an arbitrary file upload vulnerability in docs_upload.php. The script lacks authentication checks (CWE-306), allowing unauthenticated attackers to send POST requests with crafted multipart form data to upload files of arbitrary content to the server's upload directory [3]. The vulnerability exists in the default installation without requiring any special configuration.

Exploitation

An attacker can exploit this vulnerability by sending a POST request to the docs_upload.php endpoint with a multipart form-data payload containing a PHP file (e.g., a web shell). No authentication or prior access is required. The uploaded file is saved to the upload directory, and the attacker can then access it directly via HTTP to execute arbitrary PHP code on the server [3].

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code on the server with the privileges of the web server process. This leads to full remote code execution (RCE), enabling data theft, server compromise, lateral movement, or further attacks. The CVSS v3 base score is 9.8 (Critical) [3].

Mitigation

As of the reference publication date, no official patch has been released for Delta Sql 1.8.2. Users should consider upgrading to a patched version if available, or implement access controls on the docs_upload.php endpoint, such as requiring authentication or restricting access via web server configuration (e.g., .htaccess). The vulnerability has been identified by VulnCheck and is listed with CWE-306 [3]. There is no indication of inclusion in the CISA KEV catalog at the time of writing.