ChurchCRM Time-Based Blind SQL Injection Vulnerability in EditEventTypes Functionality

A time-based blind SQL injection vulnerability has been identified in ChurchCRM versions through 5.13.0. This vulnerability allows attackers to execute arbitrary SQL queries by exploiting the EditEventTypes functionality. The issue arises because the newCountName parameter is concatenated into an SQL query without proper sanitization, enabling manipulation of database queries. This could lead to unauthorized data exfiltration, modification, or deletion.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command execution, which could result in data exfiltration, unauthorized data modification or deletion, and potentially, remote code execution, depending on the database configuration.

Reproduction

To reproduce this vulnerability, navigate to the EditEventTypes.php endpoint. Intercept the request using a tool like Burp Suite or manually craft a POST request. Modify the newCountName parameter to include a crafted SQL injection payload that exploits the time-based blind SQL injection vulnerability. Send the request and observe the response time delay, which indicates successful exploitation.

Remediation

To address this vulnerability, ChurchCRM should implement prepared statements or parameterized queries to prevent SQL injection. Input validation should be applied to reject dangerous characters, and the principle of least privilege should be enforced for database users to limit potential damage from SQL injection attacks.