CVE-2018-25176 in Alive Parish
Summary
by MITRE • 03/06/2026
Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. Attackers can also upload arbitrary files via the person photo upload functionality to the images/uploaded directory for remote code execution.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/06/2026
The vulnerability identified as CVE-2018-25176 affects Alive Parish version 2.0.4 and represents a critical security flaw that combines both sql injection and arbitrary file upload capabilities. This vulnerability exists within the application's search endpoint where the key parameter is not properly sanitized, creating an exploitable entry point for malicious actors. The flaw allows unauthenticated attackers to bypass authentication mechanisms and directly interact with the underlying database system through crafted sql queries. The vulnerability is particularly concerning as it does not require any valid credentials or session tokens to exploit, making it accessible to anyone who can reach the affected web application.
The technical implementation of this vulnerability stems from inadequate input validation and sanitization practices within the application's backend processing logic. When the key parameter is submitted through the search endpoint, the application fails to properly escape or filter special sql characters and commands, allowing attackers to inject malicious sql payloads. This weakness directly maps to CWE-89 which categorizes sql injection vulnerabilities as a fundamental flaw in input validation and data handling. The vulnerability is further exacerbated by the presence of file upload functionality that lacks proper file type validation and sanitization, creating a secondary attack vector for remote code execution. The person photo upload functionality specifically targets the images/uploaded directory, suggesting that the application does not properly validate file extensions or content types during the upload process.
The operational impact of this vulnerability is severe and multifaceted, providing attackers with comprehensive access to the affected system. Successful exploitation enables attackers to execute arbitrary sql commands against the database, potentially allowing them to extract sensitive information, modify or delete data, and gain insights into the application's internal structure and user base. The remote code execution capability through file uploads significantly amplifies the threat level, as attackers can upload malicious scripts or binaries that execute within the application's context. This dual attack vector creates a particularly dangerous scenario where attackers can first gather intelligence through sql injection and then establish persistent access through file upload exploitation, aligning with ATT&CK technique T1078 for valid accounts and T1059 for command and script injection. The vulnerability affects the confidentiality, integrity, and availability of the system's data and services, potentially leading to complete system compromise.
Mitigation strategies for this vulnerability must address both the sql injection and file upload flaws through comprehensive defensive measures. The primary remediation involves implementing proper input validation and parameterized queries to prevent sql injection attacks, ensuring that all user-supplied data is properly escaped or parameterized before database interaction. The application should employ prepared statements and stored procedures to eliminate the risk of malicious sql code execution. Additionally, the file upload functionality requires strict validation of file types, sizes, and content through multiple layers of checks including extension filtering, mime type verification, and content analysis. Files should be stored in non-executable directories with proper access controls, and uploaded files should be renamed to prevent path traversal attacks. Security headers should be implemented to prevent direct execution of uploaded files, and the application should be configured to scan uploaded content for malicious code patterns. These measures align with ATT&CK mitigations for T1078 and T1059 by implementing proper access controls and input validation to prevent unauthorized system access and command execution.