CVE-2018-25389: SQL Injection in HaPe PKH 1.1 Database Extraction
HaPe PKH 1.1 is vulnerable to SQL injection through the 'nama_kelompok' parameter in the lap-anggota-kelompok-pdf.php endpoint. An attacker can send a specially crafted request without authentication to execute arbitrary SQL commands, enabling extraction of sensitive database information using time-based blind techniques. This is a direct-to-database attack that bypasses application logic entirely.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'nama_kelompok' POST parameter sent to lap-anggota-kelompok-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from unsanitized user input in the 'nama_kelompok' POST parameter processed by lap-anggota-kelompok-pdf.php. The application constructs SQL queries dynamically without parameterized statements or input validation, allowing attackers to inject SQL syntax. Time-based blind SQL injection techniques enable data exfiltration even when error messages are suppressed—attackers observe query execution delays to infer database contents character by character. The attack requires no authentication or user interaction, making it accessible to any network-adjacent attacker.
Business impact
Successful exploitation allows unauthorized access to the entire HaPe PKH database, including potentially sensitive membership, financial, or administrative records depending on what data is stored. Attackers can extract, modify, or delete information without leaving obvious traces in application logs. The blind injection technique means attacks can occur over extended periods without detection by standard monitoring. Organizations relying on HaPe PKH for critical operations face data breach, regulatory compliance violations, and reputational damage. If the system manages financial transactions or personal member information, the breach impact escalates significantly.
Affected systems
HaPe PKH version 1.1 and potentially earlier versions are affected. The specific endpoint lap-anggota-kelompok-pdf.php is vulnerable; however, similar code patterns may exist elsewhere in the application. Organizations running HaPe PKH should assume the entire installation is at risk until patching is confirmed. Verify your current version against vendor advisories to determine exact exposure.
Exploitability
This vulnerability is highly exploitable. No authentication is required, no special user interaction is needed, and network access is sufficient to launch attacks. Standard SQL injection tools and time-based blind exploitation frameworks are publicly available and well-documented. A moderately skilled attacker can automate data extraction. The attack surface is large—any instance of HaPe PKH 1.1 exposed to network traffic (internal or external) is vulnerable. The blind injection technique requires patience but no defensive sophistication to bypass.
Remediation
Immediately upgrade HaPe PKH to a patched version confirmed by the vendor to address CVE-2018-25389. Apply input validation and parameterized prepared statements to all database queries, not just this endpoint. Conduct a code audit to identify similar injection points. Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in POST parameters. Restrict network access to lap-anggota-kelompok-pdf.php and related administrative endpoints to trusted IP ranges. Reset database credentials and audit database access logs for unauthorized activity. Verify no sensitive data was exfiltrated before patching was in place.
Patch guidance
Contact the HaPe PKH vendor directly to obtain the latest security update. Verify the patched version explicitly addresses CVE-2018-25389. Test patches in a non-production environment first, particularly for PDF-generation functionality, to ensure no regression in report generation or other features. Apply patches promptly—do not delay due to operational convenience, as this vulnerability allows complete database compromise. If the vendor is no longer actively maintaining HaPe PKH, consider migration to an actively supported alternative. Document all patch deployment with timestamps and verification methods.
Detection guidance
Monitor for SQL injection attack patterns in HTTP request logs, particularly POST requests to lap-anggota-kelompok-pdf.php with unusual 'nama_kelompok' parameter values containing SQL syntax (e.g., single quotes, 'OR', 'UNION', 'SELECT', sleep() or similar time-delay functions). Implement database query monitoring to detect unusual SELECT, INSERT, UPDATE, or DELETE activity from the HaPe PKH application account. Watch for unusual query execution times or connection patterns—time-based blind injection often manifests as queries with abnormally long response times. Review database error logs for SQL syntax errors that may indicate attack attempts. Establish baseline performance metrics for lap-anggota-kelompok-pdf.php to identify deviations suggesting active exploitation.
Why prioritize this
This vulnerability scores HIGH (CVSS 8.2) due to network accessibility, no authentication requirement, and high confidentiality impact. The ability to extract database contents intact makes this a direct threat to any confidential or regulated data stored in HaPe PKH. While integrity impact is limited (SQL injection typically allows read access more easily than writes), the confidentiality breach is complete. The public nature of CVE details and the simplicity of SQL injection exploitation mean this will be actively targeted. Organizations should treat this as a critical priority regardless of internal risk frameworks.
Risk score, explained
The CVSS 3.1 score of 8.2 reflects: (1) Attack Vector=Network—any networked attacker can exploit remotely; (2) Attack Complexity=Low—no special conditions or user interaction required; (3) Privileges Required=None—unauthenticated exploitation; (4) User Interaction=None—pure technical attack; (5) Confidentiality Impact=High—database can be fully read; (6) Integrity Impact=Low—limited write capability from blind injection; (7) Availability Impact=None—database availability not directly threatened. The score does not account for business context (regulated data, criticality of system)—apply internal severity ratings based on your deployment's sensitivity.
Frequently asked questions
Can this vulnerability be exploited from outside our network?
Yes. If HaPe PKH is accessible over the network—whether internet-facing or within your corporate network—it can be exploited remotely. Even internal-only deployments are at risk from insider threats or lateral movement by compromised systems.
What does 'time-based blind' SQL injection mean in practical terms?
Attackers cannot see error messages or query results directly. Instead, they craft SQL injections that cause intentional delays in query execution—for example, injecting 'SLEEP(5)' wrapped in conditional logic. By observing whether responses take 5 seconds or respond immediately, they infer true/false answers about database contents, gradually extracting data.
If we patch today, could attackers already have stolen our data?
Possibly. You should assume data was compromised if this system was exposed to untrusted networks before patching. Conduct a forensic review of database access logs, replication logs, and application logs for the period the vulnerability was unpatched. Consider resetting sensitive credentials and notifying affected users if personal or financial data was accessible.
Does a WAF block this vulnerability completely?
A WAF can significantly reduce risk by blocking obvious SQL injection patterns in the 'nama_kelompok' parameter, but sophisticated attackers may bypass WAF rules through encoding or obfuscation. WAF rules should be layered with patching, not used as a substitute. Always prioritize applying the vendor patch.
This analysis is based on CVE-2018-25389 public disclosure and does not constitute legal or compliance advice. Organizations should verify patch availability and compatibility with vendor advisories before deploying updates. SEC.co makes no warranty regarding the accuracy or completeness of this information. Consult with your vendor and internal security teams to confirm exposure and remediation timelines. Unauthorized testing of systems you do not own is illegal; security testing should only be performed on systems you control or with explicit written authorization. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25398HIGHUnauthenticated SQL Injection in Open ISES Project 3.30A