CVE-2025-57423: Critical SQL Injection in MyClub

A critical SQL injection vulnerability (CVE-2025-57423) discovered in MyClub 0.5 allowed unauthenticated attackers to compromise entire databases through a simple GET request. Thanks to responsible disclosure by William Fieldhouse of Aardwolf Security and the vendor’s swift response, the vulnerability has been patched.

The Vulnerability at a Glance

What Made CVE-2025-57423 So Dangerous?

CVE-2025-57423 exploited six unsanitised GET parameters on the /articles endpoint:

• PersonName
• GroupName
• Content
• title
• lastUpdate
• pool

Zero barriers to exploitation:

• ❌ No authentication needed
• ❌ No user interaction required
• ❌ Low technical complexity
• ✅ Remote exploitation possible

How the Attack Worked

Discovery Phase

A single quote in the PersonName parameter immediately exposed the vulnerability:

GET /articles/?PersonName='

Response revealed everything:

<h1>500</h1><h2>Internal error: SQLSTATE[HY000]: General error: 
1 unrecognized token: "'"
GROUP BY Article.Id
ORDER BY Article.LastUpdate DESC)" 
in file /home/myclub/www/app/controllers/TableController.php at line 21

This error disclosed:

• ✓ SQL query structure
• ✓ File paths and line numbers
• ✓ Database engine (SQLite)
• ✓ Confirmation of SQL injection

Exploitation Confirmed

Adding a second quote bypassed the error:

GET /articles/?PersonName=''

The application returned normally, confirming attackers could inject arbitrary SQL commands.

Complete Database Compromise

Using sql injection queries, researchers extracted the entire schema revealing 28 sensitive tables:

Person | Authorization | Group | Settings | Message
Article | Event | Survey | Contact | Alert
...and 19 more tables containing club data

Real-World Impact

Exploitation of CVE-2025-57423 enabled attackers to:

Steal Everything: Access all 28 database tables including user credentials, messages, and authorization data
Modify Data: Insert, update, or delete any records
Escalate Privileges: Grant themselves admin access
Cause Outages: Execute DoS attacks against the database
System Access: Potentially execute OS commands in misconfigured environments

Vulnerable Parameters

Every parameter on /articles was exploitable:

The Good News: Swift Response

The vendor demonstrated exemplary security practices:

✅ Acknowledged immediately after disclosure
✅ Patches released quickly to GitHub
✅ Transparent communication throughout the process

Patch commits:

• f067bb6
• 5741f39

Immediate Actions Required

If you’re running MyClub 0.5:

1. Update NOW – Apply patches immediately
2. Check logs – Search for suspicious activity:
   • Single quotes in GET parameters
   • SQL keywords (UNION, SELECT, OR, AND)
   • Unusual error messages
3. Deploy WAF rules – Block SQL injection patterns
4. Audit database – Review for unauthorized changes

Comprehensive Web Application Penetration Testing

Professional web application penetration testing can provide assurance for your application’s security posture, including:

• SQL Injection Testing – Exactly what uncovered CVE-2025-57423
• Cross-Site Scripting (XSS) – Client-side code injection vulnerabilities
• Authentication & Authorization Flaws – Broken access controls and privilege escalation
• Business Logic Testing – Application-specific vulnerability assessment
• API Security – REST, SOAP, and GraphQL endpoint testing
• Session Management – Cookie security and session handling review

Aardwolf Security’s comprehensive testing methodology combines automated scanning with manual expert analysis to identify vulnerabilities that automated tools alone might miss, like the nuanced input validation issues that led to CVE-2025-57423.

Resources

• CVE: CVE-2025-57423
• Issue: GitHub Issue #2
• Patches: See commits above
• OWASP Guide: SQL Injection Prevention

Credit

Discovered by: William Fieldhouse, Aardwolf Security