CVE-2018-25391: HaPe PKH 1.1 Unauthenticated Record Deletion via Missing Authorization

Executive Summary

CVE-2018-25391 is a high-severity missing authorization vulnerability (CVSS 7.5) in HaPe PKH 1.1, a PHP-based web application. The application's administrative record deletion endpoints — specifically within the mod_pengurus module — perform no authentication or authorization checks before deleting records from the database. An unauthenticated attacker can delete any record by crafting a simple HTTP request containing the target record's integer ID.

While this CVE was originally identified in a legacy PHP application from 2018, it has been formally published to NVD in 2026, reflecting the ongoing backlog of historical vulnerability disclosures reaching public databases. The underlying weakness — missing authorization on destructive operations — remains a frequently exploited class of vulnerability in web applications of all ages and frameworks.

Vulnerability Details

Field	Details
CVE	CVE-2018-25391
CVSS Score	7.5 (High)
Type	Missing Authorization (CWE-862)
Application	HaPe PKH 1.1 (PHP web application)
Module	`mod_pengurus` administrative module
Authentication	Not required
Attack Vector	Network
Impact	Unauthenticated deletion of arbitrary database records

Technical Analysis

Affected Endpoints

The vulnerability affects the following administrative deletion endpoints:

Endpoint	Parameter	Function
`admin/modul/mod_pengurus/aksi_pengurus.php`	`module=pengurus&act=hapus&id={id}`	Delete administrator/user record

Both endpoints accept a record identifier via the id parameter and delete the corresponding database record without verifying that the requesting user is authenticated or authorized to perform the operation.

Root Cause

The PHP source code for the deletion handlers lacks any session validation, authentication token verification, or role-based access control check. The flow is:

HTTP Request → aksi_pengurus.php?act=hapus&id=1
  ↓
No authentication check
  ↓
SQL DELETE FROM pengurus WHERE id = 1
  ↓
Record permanently deleted

Because record IDs are typically sequential integers, an attacker can enumerate and delete all records in the targeted table without any prior knowledge of the application's data.

Impact Assessment

The lack of authentication on deletion operations enables:

Administrator account deletion — Locking legitimate administrators out of the application
Mass record deletion — Scripted sequential deletion of all records in affected tables
Data integrity destruction — Permanent loss of application data without backup recovery
Privilege escalation setup — In some implementations, deleting all admin accounts may enable creation of a new admin account with no existing competition

Context: Legacy PHP Applications

HaPe PKH is representative of a large class of PHP web applications developed in the 2010s that were built without a security-first mindset and lack modern security controls. Many such applications remain deployed on production servers, often managing sensitive administrative or institutional data.

The publication of this CVE in 2026, eight years after the original vulnerability was present, reflects the NVD's ongoing backlog of historical disclosures. For organizations still running legacy PHP applications of this generation, this advisory is a reminder to audit deletion endpoints and administrative controllers for missing authorization checks.

Common patterns in this vulnerability class include:

PHP files that directly process $_GET or $_POST parameters without session validation
Admin modules with no middleware or authentication decorator pattern
Database operations triggered directly by query parameters without nonce or CSRF verification

Remediation

For HaPe PKH 1.1 Deployments

Decommission if possible — HaPe PKH 1.1 is legacy software with no known active maintenance. If it can be replaced with a supported application, that is the recommended path.
Apply access controls at the web server level — Restrict access to admin/modul/ paths to known trusted IPs using .htaccess or nginx/Apache configuration:

# Restrict admin module access by IP
<Location "/admin/modul/">
    Require ip 192.168.1.0/24
    Require ip 10.0.0.0/8
</Location>

Add session validation to all deletion handlers if the application must remain in service:

// Add to top of aksi_pengurus.php
session_start();
if (!isset($_SESSION['admin_logged_in']) || !$_SESSION['admin_logged_in']) {
    http_response_code(403);
    exit('Access denied');
}

For General PHP Applications

This vulnerability class is preventable through:

Centralized authentication middleware that enforces session validation before any administrative handler executes
Audit of all deletion, update, and create endpoints for missing authorization checks
CSRF token validation for all state-changing operations
Web application firewall (WAF) rules that block access to admin paths from unauthenticated sessions

Detection

To identify instances of vulnerable HaPe PKH deployments:

# Check for the mod_pengurus module
find . -name "aksi_pengurus.php" -path "*/mod_pengurus/*"
 
# Test for unauthenticated deletion (safe, non-destructive: use a non-existent ID)
curl -I "http://target/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=hapus&id=999999"
# If response is 200 rather than 401/403, the endpoint lacks authentication

References

Executive Summary

Vulnerability Details

Field	Details
CVE	CVE-2018-25391
CVSS Score	7.5 (High)
Type	Missing Authorization (CWE-862)
Application	HaPe PKH 1.1 (PHP web application)
Module	`mod_pengurus` administrative module
Authentication	Not required
Attack Vector	Network
Impact	Unauthenticated deletion of arbitrary database records

Technical Analysis

Affected Endpoints

The vulnerability affects the following administrative deletion endpoints:

Endpoint	Parameter	Function
`admin/modul/mod_pengurus/aksi_pengurus.php`	`module=pengurus&act=hapus&id={id}`	Delete administrator/user record

Root Cause

The PHP source code for the deletion handlers lacks any session validation, authentication token verification, or role-based access control check. The flow is:

HTTP Request → aksi_pengurus.php?act=hapus&id=1
  ↓
No authentication check
  ↓
SQL DELETE FROM pengurus WHERE id = 1
  ↓
Record permanently deleted

Because record IDs are typically sequential integers, an attacker can enumerate and delete all records in the targeted table without any prior knowledge of the application's data.

Impact Assessment

The lack of authentication on deletion operations enables:

Administrator account deletion — Locking legitimate administrators out of the application
Mass record deletion — Scripted sequential deletion of all records in affected tables
Data integrity destruction — Permanent loss of application data without backup recovery
Privilege escalation setup — In some implementations, deleting all admin accounts may enable creation of a new admin account with no existing competition

Context: Legacy PHP Applications

Common patterns in this vulnerability class include:

PHP files that directly process $_GET or $_POST parameters without session validation
Admin modules with no middleware or authentication decorator pattern
Database operations triggered directly by query parameters without nonce or CSRF verification

Remediation

For HaPe PKH 1.1 Deployments

Decommission if possible — HaPe PKH 1.1 is legacy software with no known active maintenance. If it can be replaced with a supported application, that is the recommended path.
Apply access controls at the web server level — Restrict access to admin/modul/ paths to known trusted IPs using .htaccess or nginx/Apache configuration:

# Restrict admin module access by IP
<Location "/admin/modul/">
    Require ip 192.168.1.0/24
    Require ip 10.0.0.0/8
</Location>

Add session validation to all deletion handlers if the application must remain in service:

// Add to top of aksi_pengurus.php
session_start();
if (!isset($_SESSION['admin_logged_in']) || !$_SESSION['admin_logged_in']) {
    http_response_code(403);
    exit('Access denied');
}

For General PHP Applications

This vulnerability class is preventable through:

Centralized authentication middleware that enforces session validation before any administrative handler executes
Audit of all deletion, update, and create endpoints for missing authorization checks
CSRF token validation for all state-changing operations
Web application firewall (WAF) rules that block access to admin paths from unauthenticated sessions

Detection

To identify instances of vulnerable HaPe PKH deployments:

# Check for the mod_pengurus module
find . -name "aksi_pengurus.php" -path "*/mod_pengurus/*"
 
# Test for unauthenticated deletion (safe, non-destructive: use a non-existent ID)
curl -I "http://target/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=hapus&id=999999"
# If response is 200 rather than 401/403, the endpoint lacks authentication

CVE-2018-25391: HaPe PKH 1.1 Unauthenticated Record Deletion via Missing Authorization

Affected Products

Executive Summary

Vulnerability Details

Technical Analysis

Affected Endpoints

Root Cause

Impact Assessment

Context: Legacy PHP Applications

Remediation

For HaPe PKH 1.1 Deployments

For General PHP Applications

Detection

References

CVE-2026-10178: SQL Injection in Online Music Site 1.0 Admin Panel

CVE-2026-10110: SQL Injection in Student Details Management System 1.0

CVE-2026-4290: WP Travel Pro Arbitrary User Deletion via Broken REST API Access Control

CVE-2018-25391: HaPe PKH 1.1 Unauthenticated Record Deletion via Missing Authorization

Affected Products

Executive Summary

Vulnerability Details

Technical Analysis

Affected Endpoints

Root Cause

Impact Assessment

Context: Legacy PHP Applications

Remediation

For HaPe PKH 1.1 Deployments

For General PHP Applications

Detection

References

CVE-2026-10178: SQL Injection in Online Music Site 1.0 Admin Panel

CVE-2026-10110: SQL Injection in Student Details Management System 1.0

CVE-2026-4290: WP Travel Pro Arbitrary User Deletion via Broken REST API Access Control