CVE-2018-25411: SQL Injection in MGB OpenSource Guestbook 0.7.0.2

CVE-2018-25411: SQL Injection in MGB OpenSource Guestbook 0.7.0.2

A SQL injection vulnerability originally discovered in 2018 has been formally assigned as CVE-2018-25411 with a CVSS score of 8.2 (High). The flaw resides in MGB OpenSource Guestbook version 0.7.0.2, a PHP-based web guestbook application.

The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious payloads through the id parameter in the email.php script, potentially exposing sensitive database contents including user credentials, email addresses, and guestbook entries.

Vulnerability Overview

Technical Details

The vulnerability exists in email.php, where the id parameter value is passed directly into a SQL query without sanitization or use of prepared statements. An unauthenticated attacker can craft a GET request with a malicious SQL payload in the id parameter to manipulate the underlying database query.

Example attack surface:

GET /email.php?id=1 UNION SELECT 1,username,password,4,5 FROM mgb_users--

Successful exploitation can allow an attacker to:

• Extract database contents — user accounts, email addresses, guestbook entries, administrative credentials
• Enumerate database structure — table names, column names, schema details via information_schema
• Read server-side files — if the database user has FILE privileges, files such as /etc/passwd or configuration files may be accessible
• Write web shells — if INTO OUTFILE is permitted by the database user and web root is writable

Context and Impact

MGB OpenSource Guestbook is a legacy PHP guestbook application primarily used on personal websites and small community sites. Version 0.7.0.2 is an old release and active deployments in 2026 are expected to be minimal. The formal NVD publication of this 2018 flaw ensures it appears in vulnerability management databases and scanner signatures.

Who is affected:

• Any self-hosted instances of MGB OpenSource Guestbook 0.7.0.2 accessible over the internet
• Web hosting environments that may have bundled this guestbook software
• Derivative forks or customizations based on the affected email.php code

Practical risk: Given the age and niche adoption of this software, active exploitation in the wild is unlikely. However, any running instance should be treated as vulnerable and either patched or decommissioned. The CVSS 8.2 High rating reflects the ease of unauthenticated exploitation and potential for data extraction.

Remediation

1. Upgrade or decommission — update MGB OpenSource Guestbook to a patched version or replace with a maintained alternative; if the software is no longer actively maintained, decommission the installation
2. Apply parameterized queries — any custom deployments should refactor email.php to use prepared statements
3. Restrict database privileges — ensure the database user running the guestbook application has the minimum necessary privileges and does not have FILE or INTO OUTFILE permissions
4. WAF protection — deploy web application firewall rules to detect and block SQL injection patterns against the affected endpoint

Secure coding pattern:

// Vulnerable pattern
$id = $_GET['id'];
$query = "SELECT * FROM entries WHERE id = '$id'";
$result = mysql_query($query);
 
// Secure pattern — parameterized query with PDO
$stmt = $pdo->prepare("SELECT * FROM entries WHERE id = ?");
$stmt->execute([$_GET['id']]);
$result = $stmt->fetchAll();

Key Takeaways

1. CVE-2018-25411 is a CVSS 8.2 High SQL injection flaw in MGB OpenSource Guestbook 0.7.0.2, now formally catalogued in NVD
2. Unauthenticated exploitation — no credentials required to exploit the id parameter in email.php
3. Data extraction risk — attackers can enumerate and extract database contents including credentials
4. Remediation: Upgrade to a patched version, use parameterized queries, or decommission the installation

Sources

• CVE-2018-25411 — NIST NVD