CVE-2018-25385
SQL Injection in E-Registrasi Pencak Silat 18.10
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
E-Registrasi Pencak Silat version 18.10 contains a high-severity SQL injection vulnerability in the 'id_partai' parameter of the monitor_nilai.php file.
This flaw allows unauthenticated attackers to inject malicious SQL code through the id_partai parameter by sending crafted GET requests.
As a result, attackers can manipulate SQL queries executed by the application, potentially leading to unauthorized access to sensitive database information.
How can this vulnerability impact me? :
This vulnerability can have significant impacts including unauthorized extraction of sensitive data such as admin credentials and user information.
Attackers can exploit this flaw to access, modify, or delete data within the application's database without authentication.
Such unauthorized access can lead to data breaches, loss of data integrity, and compromise of user privacy.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious GET requests to the monitor_nilai.php file that include the id_partai parameter with potentially malicious SQL payloads.
A practical detection method is to analyze web server logs or use network monitoring tools to identify requests where the id_partai parameter contains SQL injection patterns or encoded SQL commands.
For example, you can use the following command to search web server logs for suspicious id_partai parameter usage:
- grep -i 'monitor_nilai.php' /var/log/apache2/access.log | grep 'id_partai='
Additionally, you can look for hexadecimal encoded SQL payloads in the id_partai parameter, which attackers use to exploit the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing input validation and sanitization on the id_partai parameter to prevent SQL injection.
Using prepared statements or parameterized queries in the monitor_nilai.php file will help prevent attackers from injecting malicious SQL code.
Additionally, restricting access to the vulnerable script and monitoring for suspicious activity can reduce the risk of exploitation.
If possible, update or patch the application to a version where this vulnerability is fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in E-Registrasi Pencak Silat 18.10 allows attackers to extract sensitive database information, including admin credentials and user data. This unauthorized access to sensitive personal data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access or disclosure.
By enabling attackers to access and potentially misuse sensitive user data, this vulnerability increases the risk of data breaches, which can result in legal penalties, reputational damage, and loss of trust under these common standards and regulations.