In early 2024, a security advisory caught the web application world’s attention: Subrion CMS 4.2.1 allegedly contained a serious SQL Injection vulnerability in its ia.core.mysqli.php file (CVE-2024-25400). SQL Injection vulnerabilities are dangerous, often leading to full database compromise.
But soon after, several experts and reverse engineers stepped in—disputing the original claim. Let’s untangle what’s going on with CVE-2024-25400, dissect the technical claims, check the real risk, and offer guidance if you’re hosting a Subrion CMS-powered site.
What Was Reported?
The original report described a classic SQL Injection vector in the ia.core.mysqli.php file of Subrion CMS 4.2.1. The claim said:
Exploitation could lead to data leakage or modification.
The "vulnerable method" in question was reportedly processing external GET or POST input and using it in a database query without proper sanitization.
Example Payload (from the original advisory)
GET /includes/core/ia.core.mysqli.php?id=1' OR '1'='1
Allegedly, the attacker could pass a crafted id parameter to the PHP file, leading to an injected SQL query.
Looking at the Code: ia.core.mysqli.php
Let’s open the actual file on GitHub or in a Subrion CMS 4.2.1 release. Here’s what we find (excerpt):
<?php
class iaMySQLi
{
public function query($sql)
{
// .. execute $sql
}
// Other database wrapper methods
}
?>
The file only declares a class and some methods.
- No code executes when you access the file directly (no $_GET, $_POST, or similar input handling).
No standalone wiring to HTTP requests.
So, how does an HTTP GET to this file trigger a database operation? The answer: It doesn’t.
Multiple sources have challenged the original reporting
- MITRE’s CVE page (CVE-2024-25400) shows the dispute.
- Debian Security Tracker lists the issue as disputed.
- Public analysis on security forums and bug trackers (e.g., Exploit-DB and Open Bug Bounty) reveals no working proof-of-concept.
Key Points of Dispute
1. No code runs on HTTP access: Visiting this PHP file in a browser does nothing—it only declares the iaMySQLi class.
2. No id parameter, no vulnerable method: The file by itself never reads HTTP input, nor does it directly use that input in a SQL query.
3. No affected endpoint identified: A real exploit would require a different file (like a dynamic page or admin handler) loading user input unsafely.
Not Present
// Example of what would be vulnerable, but is NOT present
$id = $_GET['id'];
$sql = "SELECT * FROM users WHERE id='$id'";
$this->query($sql);
Actual
// Only a class definition, not accessible by HTTP
class iaMySQLi { /* ... */ }
If the vulnerability existed, a working exploit might look something like this
GET /vulnerable_page.php?id=1%27%20OR%20%271%27=%271
And vulnerable code in vulnerable_page.php
$id = $_GET['id'];
$sql = "SELECT * FROM table WHERE id = '$id'";
$mysqli->query($sql);
But none of this logic is in ia.core.mysqli.php.
Takeaway: Is Subrion CMS 4.2.1 at Risk?
- If you only use Subrion CMS 4.2.1 as packaged, and don’t use some custom, publicly unknown file, this CVE likely does not affect you.
You should always keep Subrion and all plugins up-to-date.
- Review third-party code—the real-world risk comes from custom scripts added by admins which might improperly use the iaMySQLi class.
References and Further Reading
- CVE-2024-25400 at MITRE
- Debian Security Tracker: CVE-2024-25400
- Subrion CMS GitHub repository
- Exploit-DB
- Open Bug Bounty
Summary
CVE-2024-25400 was reported as a SQL Injection in Subrion’s ia.core.mysqli.php, but there’s no evidence that this file alone is exploitable. The original report likely misunderstood the program structure, confusing a simple class definition for a dynamic endpoint. The vulnerability is ruled “DISPUTED” for good reason.
Bottom line: No urgent patching is needed for this file, but always follow general security hygiene—keep your CMS and plugins up-to-date, audit third-party code, and follow secure development practices.
Timeline
Published on: 02/27/2024 16:15:46 UTC
Last modified on: 05/23/2025 15:40:19 UTC