CVE-2018-25406: SQL Injection Across eNdonesia Portal 8.7 Modules
Multiple SQL injection vulnerabilities originally discovered in 2018 have been formally assigned as CVE-2018-25406 with a CVSS score of 8.2 (High). The flaws reside in eNdonesia Portal version 8.7 and are closely related to CVE-2018-25405, covering additional injection points across the publisher, artikel, and info modules in mod.php.
The vulnerabilities allow unauthenticated attackers to execute arbitrary SQL queries by injecting payloads through the artid, cid, did, contid, and aboutid parameters across different module contexts, enabling cross-module database enumeration and data extraction.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2018-25406 |
| CVSS Score | 8.2 (High) |
| CWE Classification | CWE-89 — SQL Injection |
| Affected Software | eNdonesia Portal 8.7 |
| Attack Vector | Network |
| Authentication Required | None (unauthenticated) |
| Affected Modules | publisher, artikel, info |
| NVD Published | May 30, 2026 |
| Original Flaw Discovery | 2018 |
Technical Details
Similar to CVE-2018-25405, this vulnerability involves unsanitized parameters in mod.php across the publisher, artikel, and info modules. The same parameters (artid, cid, did, contid, aboutid) are used in different query contexts within these modules, creating multiple independently exploitable injection paths.
Cross-module exploitation examples:
# Publisher module — article ID injection
GET /mod.php?mod=publisher&artid=1 UNION SELECT 1,username,password,4 FROM users--
# Artikel module — category injection
GET /mod.php?mod=artikel&cid=1' UNION SELECT table_name,2 FROM information_schema.tables--
# Info module — content ID injection
GET /mod.php?mod=info&contid=1 AND 1=2 UNION SELECT user(),version()--
The cross-module nature of this vulnerability means that even if one module is disabled or restricted, the same injection may succeed via a different module using the same underlying parameter handling code.
Attack chain:
- Identify accessible modules via module enumeration
- Test each parameter for injectable behavior using time-based or boolean-based blind SQLi
- Extract
information_schemato enumerate tables - Dump target tables (credentials, user data, session tokens)
Successful exploitation allows an attacker to:
- Extract credentials from the admin and user tables
- Read sensitive content including unpublished articles and private user data
- Enumerate the entire database schema across all eNdonesia modules
- Chain with other vulnerabilities — extracted admin credentials may enable further compromise
Relationship to CVE-2018-25405
CVE-2018-25406 and CVE-2018-25405 both affect the same parameter handling code in mod.php of eNdonesia Portal 8.7. The distinction is the set of modules covered:
| CVE | Modules Covered |
|---|---|
| CVE-2018-25405 | download, page, about (via did, contid, aboutid) |
| CVE-2018-25406 | publisher, artikel, info (via artid, cid) |
Both CVEs carry the same CVSS 8.2 score and require the same remediation approach. Installations affected by one are almost certainly affected by both.
Context and Impact
eNdonesia Portal 8.7 is a legacy Indonesian CMS with limited deployment outside its original regional user base. The formal NVD assignment of CVE-2018-25406 alongside CVE-2018-25405 underscores the systemic nature of the SQL injection flaws — the root cause is the same absent parameterization across the entire mod.php dispatch layer.
Who is affected:
- Indonesian community portals, news sites, and legacy web properties running eNdonesia Portal 8.7
- Any fork or customization that retained the original
mod.phpparameter handling
Practical risk: The dual-CVE assignment for essentially the same codebase flaw highlights that a single architectural weakness (direct parameter interpolation in SQL) can generate numerous CVEs depending on enumeration granularity. Attackers need only one working injection vector to compromise the database.
Remediation
- Upgrade or migrate — update to a patched version of eNdonesia Portal or migrate to a maintained CMS
- Parameterized queries — refactor
mod.phpto use PDO prepared statements for all parameter-driven queries - Input validation — numeric ID parameters should be strictly cast with
intval()as a defense-in-depth measure - Disable unused modules — reduce attack surface by disabling modules not in active use
Patching the root cause:
// Vulnerable dispatch pattern in mod.php
$cid = $_GET['cid'];
$result = mysql_query("SELECT * FROM kategori WHERE cid='$cid'");
// Secure pattern — parameterized with PDO
$stmt = $pdo->prepare("SELECT * FROM kategori WHERE cid = :cid");
$stmt->bindParam(':cid', $_GET['cid'], PDO::PARAM_INT);
$stmt->execute();Key Takeaways
- CVE-2018-25406 is a CVSS 8.2 High SQL injection flaw in eNdonesia Portal 8.7 covering the publisher, artikel, and info modules
- Closely related to CVE-2018-25405 — both stem from the same root cause in
mod.phpand should be remediated together - Cross-module attack surface — the same injection technique works across multiple modules, increasing exploitability
- Remediation: Upgrade, apply parameterized queries across all of
mod.php, or migrate to a maintained CMS