ChurchCRM Time-Based Blind SQL Injection Vulnerability in EditEventAttendees.php

A time-based blind SQL injection vulnerability has been identified in ChurchCRM versions through 5.13.0. The issue resides in the EditEventAttendees.php file, specifically within the EN_tyid parameter, which is vulnerable to injection as it is directly included in an SQL query without adequate sanitization. This vulnerability requires administrator permissions to exploit. Attackers can use this flaw to introduce malicious SQL commands, potentially leading to unauthorized data access or manipulation by exploiting the time-based nature of the injection to extract information from the database.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can manipulate SQL queries to introduce delays, indicating successful injection. This could be used to infer information about the database, with the possibility of retrieving sensitive data. Additionally, such SQL injection vulnerabilities could be leveraged to modify or delete database records. The time-based aspect could also be exploited to create a denial-of-service condition by causing intentional delays in database responses.

Reproduction

To reproduce this vulnerability, navigate to the EventEditor.php page with administrator access. Intercept the request using a web application testing tool like Burp Suite. In the POST request, modify the EN_tyid parameter to include a payload that exploits the SQL injection vulnerability, such as a crafted SQL statement that uses the SQL 'SLEEP()' function to create a delay in the response. After sending the modified request, observe the response time for the delay, which indicates successful exploitation.

Remediation

To address this vulnerability, ChurchCRM should implement prepared statements or parameterized queries to prevent SQL injection. Additionally, input validation should be enforced to ensure only expected and valid data is accepted. Reviewing and restricting database permissions for application users can further mitigate the risk of exploitation.