CVE-2018-25389
SQL Injection in HaPe PKH via nama_kelompok Parameter
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hape | pkh | 1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
HaPe PKH version 1.1 contains a high-severity SQL injection vulnerability in the 'nama_kelompok' POST parameter of the lap-anggota-kelompok-pdf.php file.
This flaw allows unauthenticated attackers to inject malicious SQL code into database queries.
Attackers can exploit this by sending crafted requests with time-based blind SQL injection payloads to infer and extract sensitive information from the database.
How can this vulnerability impact me? :
Exploiting this vulnerability enables attackers to manipulate database queries without authentication.
This can lead to unauthorized extraction of sensitive database information.
The vulnerability poses a significant risk as indicated by its high CVSS v4 score of 8.8.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP POST requests to the lap-anggota-kelompok-pdf.php endpoint, specifically targeting the 'nama_kelompok' parameter with SQL injection payloads.
A common detection method involves using time-based blind SQL injection techniques, such as injecting payloads that cause a delay (e.g., SLEEP(5)) in the database response if the injection is successful.
For example, you can use curl commands to test the vulnerability by sending POST requests with payloads like: nama_kelompok=anything' OR IF(SLEEP(5),1,0)--
If the server response is delayed by the specified time, it indicates the presence of the SQL injection vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying input validation and sanitization on the 'nama_kelompok' POST parameter to prevent SQL injection.
If possible, update or patch HaPe PKH to a version where this vulnerability is fixed.
As a temporary measure, restrict access to the vulnerable endpoint (lap-anggota-kelompok-pdf.php) by implementing firewall rules or access controls to limit exposure.
Monitor logs for suspicious requests containing SQL injection patterns and consider deploying a Web Application Firewall (WAF) to block malicious payloads.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in HaPe PKH 1.1 allows unauthenticated attackers to extract sensitive database information by manipulating database queries. This exposure of sensitive data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access.
By enabling attackers to access or infer sensitive data, the vulnerability increases the risk of data breaches, which can result in legal and financial penalties under these regulations.