CVE-2018-25405: Multiple SQL Injections in eNdonesia Portal 8.7

CVE-2018-25405: Multiple SQL Injections in eNdonesia Portal 8.7

Multiple SQL injection vulnerabilities originally discovered in 2018 have been formally assigned as CVE-2018-25405 with a CVSS score of 8.2 (High). The flaws reside in eNdonesia Portal version 8.7, an open-source PHP-based content management system.

The vulnerabilities allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious payloads through several parameters of the mod.php script — specifically artid, cid, did, contid, and aboutid — enabling extraction of sensitive database contents across multiple content modules.

Vulnerability Overview

Technical Details

The vulnerability exists across multiple request handlers in mod.php. Each of the affected parameters is passed directly into SQL queries without sanitization or prepared statements. This creates a wide attack surface, as multiple independent injection points are available across different content modules.

Affected parameters and example attack vectors:

# Article ID injection
GET /mod.php?mod=publisher&artid=1 UNION SELECT 1,username,password FROM admin_users--

# Category ID injection
GET /mod.php?mod=artikel&cid=1' AND SLEEP(5)--

# Download ID injection
GET /mod.php?mod=download&did=1 UNION SELECT table_name,2,3 FROM information_schema.tables--

# Content ID injection
GET /mod.php?mod=page&contid=1' OR '1'='1

# About ID injection
GET /mod.php?mod=about&aboutid=1 UNION SELECT user(),version(),3--

Successful exploitation can allow an attacker to:

• Extract database contents — administrative credentials, user data, site content
• Enumerate the full database schema — all tables and columns via information_schema
• Determine the database version and user — useful for further exploitation planning
• Potentially write files — if the database user has FILE privileges and the web root is writable

Context and Impact

eNdonesia Portal is an Indonesian open-source CMS that was popular among Indonesian web developers in the 2000s and 2010s. Version 8.7 is a legacy release, and active deployments in 2026 are limited primarily to older Indonesian community sites and legacy web hosting environments. The formal NVD cataloguing of this 2018 flaw ensures it appears in modern vulnerability scanners.

Who is affected:

• Self-hosted instances of eNdonesia Portal 8.7 accessible over the internet
• Legacy Indonesian community and news portals still running the affected version
• Any forks or customizations incorporating the vulnerable mod.php parameter handling

Practical risk: The breadth of the attack surface — five distinct injection parameters across multiple modules — increases the likelihood that at least one parameter is accessible in any given deployment configuration. Even if some modules are disabled, others may remain exploitable.

Remediation

1. Upgrade or migrate — update eNdonesia Portal to a patched version, or migrate to a actively maintained CMS
2. Apply parameterized queries — refactor all affected parameter handling in mod.php to use prepared statements
3. Input validation — enforce strict integer validation on ID parameters (e.g., intval()) before use in queries
4. Web application firewall — deploy WAF rules to detect SQL injection patterns in the affected parameters

Secure coding pattern:

// Vulnerable pattern
$artid = $_GET['artid'];
$query = "SELECT * FROM articles WHERE id = '$artid'";
 
// Secure pattern — parameterized query
$stmt = $pdo->prepare("SELECT * FROM articles WHERE id = :artid");
$stmt->bindParam(':artid', $_GET['artid'], PDO::PARAM_INT);
$stmt->execute();

Key Takeaways

1. CVE-2018-25405 is a CVSS 8.2 High multi-parameter SQL injection flaw in eNdonesia Portal 8.7, now formally catalogued in NVD
2. Five injection points — artid, cid, did, contid, and aboutid parameters in mod.php are all affected
3. No authentication required — all parameters are exploitable by unauthenticated attackers
4. Remediation: Upgrade, apply parameterized queries, or migrate to a maintained CMS

Sources

• CVE-2018-25405 — NIST NVD