ChurchCRM Boolean-Based Blind SQL Injection Vulnerability in EditEventAttendees Function

A boolean-based blind SQL injection vulnerability has been identified in ChurchCRM versions through 5.13.0. This vulnerability allows attackers with administrator privileges to execute arbitrary SQL queries by manipulating the EID parameter, which is directly concatenated into an SQL query without proper sanitization. Exploitation of this vulnerability could lead to unauthorized data access, modification, or deletion.

Impact

Exploitation of this vulnerability could result in unauthorized execution of SQL commands, allowing attackers to exfiltrate, modify, or delete database information. Additionally, in some database configurations, this could lead to remote code execution.

Reproduction

To reproduce this vulnerability, navigate to the EditEventAttendees.php endpoint and intercept the request using a tool like Burp Suite. Modify the EID parameter to include a crafted SQL injection payload, such as '1 AND 5302=5302', and send the request. The response will indicate whether the SQL injection was successful.

Remediation

It is recommended to use prepared statements or parameterized queries to prevent SQL injection. Input validation should be implemented to reject dangerous characters, and the principle of least privilege should be applied to database users. Specifically, the EventID variable should be sanitized and validated before being used in SQL queries.