Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1826+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2018-25362: Twitter-Clone SQL Injection via follow.php
CVE-2018-25362: Twitter-Clone SQL Injection via follow.php
SECURITYHIGHCVE-2018-25362

CVE-2018-25362: Twitter-Clone SQL Injection via follow.php

Twitter-Clone 1 contains a high-severity SQL injection vulnerability in follow.php that allows attackers to extract sensitive database information through.

Dylan H.

Security Team

May 26, 2026
4 min read

Affected Products

  • Twitter-Clone 1

Executive Summary

CVE-2018-25362 is a high-severity SQL injection vulnerability in Twitter-Clone 1, an open-source PHP social platform application. The flaw resides in the follow.php endpoint where insufficient sanitization of the userid parameter allows unauthenticated or authenticated attackers to inject arbitrary SQL code into database queries.

CVSS Score: 8.2 (High)

Attackers can leverage this vulnerability to extract sensitive database contents including user credentials, session tokens, and personal information through union-based or time-based blind SQL injection techniques.


Vulnerability Overview

Root Cause

The vulnerability exists in follow.php where user-supplied input passed through the userid parameter is interpolated directly into SQL queries without adequate sanitization or use of prepared statements. This allows an attacker to break out of the intended query context and inject arbitrary SQL commands.

Attack Chain

1. Attacker identifies a Twitter-Clone instance's follow.php endpoint
2. Crafts a malicious userid parameter value containing SQL syntax
3. Submits the request — application builds query with injected payload
4. Database executes the injected SQL statement
5. Attacker exfiltrates database contents via UNION-based output
   or infers data through time-based blind responses

Technical Details

Attack Surface

The follow.php file in Twitter-Clone 1 processes user follow actions. The userid parameter representing the target user is passed into a SQL query without validation:

// Vulnerable pattern (illustrative)
$userid = $_GET['userid'];
$query = "SELECT * FROM users WHERE id = $userid";

This direct interpolation allows SQL injection through both GET and POST request methods.

Exploitation Techniques

Union-Based Injection

When the application reflects query results, an attacker can use UNION SELECT to extract arbitrary data:

userid=1 UNION SELECT username,password,NULL FROM users--

Time-Based Blind Injection

When no data is reflected, timing attacks can be used to infer database content:

userid=1 AND SLEEP(5)--
userid=1 AND IF(1=1, SLEEP(5), 0)--

Database Enumeration

userid=1 UNION SELECT table_name,NULL,NULL FROM information_schema.tables--
userid=1 UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'--

Impact Assessment

Impact AreaSeverityDetails
ConfidentialityHighFull database read access
IntegrityMediumPotential data modification via stacked queries
AvailabilityLowDenial of service via heavy queries
Authentication BypassHighCredential extraction enables account takeover

Successful exploitation provides an attacker with complete read access to all database tables, which in a Twitter-Clone deployment typically includes:

  • Usernames and hashed (or plaintext) passwords
  • Email addresses
  • Private messages
  • Follow/follower relationships
  • Session tokens

Affected Versions

ProductVersionStatus
Twitter-Clone1Vulnerable — no patch available

Twitter-Clone is an open-source educational/demo project. Organizations running this software in any production capacity should treat it as critically vulnerable.


Remediation

Since Twitter-Clone is an open-source demo application with no official patch, the recommended actions are:

Option 1: Remove from Production

Twitter-Clone 1 is not production-ready software. Any internet-accessible deployment should be taken offline immediately.

Option 2: Apply Manual Fix

If continued use is required, convert the vulnerable query to use prepared statements:

// Secure replacement using PDO prepared statements
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = :userid");
$stmt->execute(['userid' => (int)$_GET['userid']]);

Option 3: Input Validation

At minimum, enforce strict integer validation on the userid parameter:

$userid = filter_input(INPUT_GET, 'userid', FILTER_VALIDATE_INT);
if ($userid === false || $userid === null) {
    die('Invalid input');
}

Detection

Web Application Logs

Look for SQL injection indicators in access logs:

grep -E "(UNION|SELECT|FROM|WHERE|SLEEP|BENCHMARK)" /var/log/apache2/access.log
grep -i "follow\.php.*userid" /var/log/apache2/access.log | grep -i "union\|select\|sleep"

WAF Rules

# ModSecurity - Block SQLi in userid parameter
SecRule ARGS:userid "@detectSQLi" \
    "id:20001,phase:2,deny,status:400,msg:'SQL Injection in userid'"

References

  • NVD — CVE-2018-25362
  • OWASP SQL Injection Prevention Cheat Sheet

Related Reading

  • CVE-2026-37431: Beauty Parlour Management System SQL
  • CVE-2026-37749: SQL Injection Auth Bypass in CodeAstro
  • CVE-2026-5637: SQL Injection in projectworlds Car Rental
#SQL Injection#CVE#Web Application#Database#PHP#High Severity

Related Articles

CVE-2026-14641: Remote SQL Injection in SourceCodester Class and Exam Timetabling System

A high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to dump the full database by manipulating the ID parameter in edit_course.php. A public exploit PoC is available.

4 min read

CVE-2026-14642: Remote SQL Injection in SourceCodester Timetabling System edit_class2.php

A high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to fully compromise the database via the ID parameter in edit_class2.php. A public exploit PoC has been published.

5 min read

CVE-2024-6228: WordPress WANotifier Plugin Local File Inclusion

A local file inclusion vulnerability in the WANotifier WordPress plugin (before v2.6) allows any authenticated subscriber-level user to include and execute arbitrary PHP files on the server, potentially exposing credentials and enabling full site takeover.

4 min read
Back to all Security Alerts