SQL injection bypasses eDirectory admin auth, exposes PHP files
TL;DR — A union-based SQL injection in eDirectory’s login flow can bypass admin authentication and then be chained into arbitrary PHP file reads via language_file.php, with a public Exploit-DB reference.
What happened
eDirectory is an “online directory software” platform used to build and run listing-style websites (business listings, classifieds, events, etc.).
CVE-2019-25675 describes multiple SQL injection vulnerabilities that allow an unauthenticated attacker to bypass administrator authentication by injecting SQL into parameters. The CVE states attackers can exploit the key parameter in the login endpoint with union-based SQL injection to authenticate as an administrator, and then leverage an authenticated file disclosure path in language_file.php to read arbitrary PHP files from the server.
Operationally, this is a high-risk webapp pattern: unauthenticated SQLi that yields admin access frequently collapses the rest of the application’s trust boundaries, and the CVE’s reference to a public Exploit-DB entry increases the likelihood of opportunistic scanning and exploitation once defenders’ vulnerability feeds pick it up.
Who is impacted
- Self-hosted deployments of
eDirectorythat expose the login endpoint to untrusted networks. - Version scope is ambiguous across the same publication set (title vs affected list vs advisory summary).
| Item | Source value |
|---|---|
| CVE title | eDirectory All Versions SQL Injection Authentication Bypass |
| CVE affected versions list | 1.0 (status: affected) |
| VulnCheck advisory “Affecting” | eDirectory <= 1.0 |
| Attack precondition | Unauthenticated (PR:N, UI:N) |
| Severity | CVSS v4.0 8.8 (High); CVSS v3.1 8.2 (High) |
| Public exploit reference | ExploitDB-46423 |
| Public disclosure date (per CVE) | 2019-02-19 |
| CVE publish date | 2026-04-05 |
What to do now
- Follow vendor remediation guidance for your deployed
eDirectoryversion (the CVE record does not list a fixed version). - Inventory where
eDirectoryis deployed (web roots, containers, SBOM/SCA results) and determine whether your instance matches the affected scope noted above (treat “all versions” vs1.0/<= 1.0as a triage flag, not a safe assumption). - Reduce exposure while you validate patch status and reachability:
- Restrict access to the admin/login surface (network ACLs, VPN-only access, authenticated gateway) where feasible.
- Add monitoring for anomalous login requests and SQLi-like payloads against the login endpoint, especially involving a
keyparameter.
- If compromise is suspected, treat this as an app compromise likely to include credential/session exposure:
- Preserve webserver/app logs and review for suspicious admin sessions and requests to
language_file.php. - Rotate credentials and secrets reachable by the
eDirectoryruntime (database passwords, SMTP creds, API keys).
- Preserve webserver/app logs and review for suspicious admin sessions and requests to
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.