ChurchCRM Boolean-Based and Time-Based Blind SQL Injection Vulnerability in BatchWinnerEntry Functionality

A SQL injection vulnerability has been identified in ChurchCRM versions through 5.13.0. This vulnerability allows attackers to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL injection in the BatchWinnerEntry functionality. The issue arises because the CurrentFundraiser parameter is concatenated into an SQL query without proper sanitization, enabling attackers to manipulate database queries and execute arbitrary commands. Exploitation of this vulnerability could lead to unauthorized data access, modification, or deletion. Notably, this vulnerability requires administrator privileges to exploit.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command execution, which could lead to data exfiltration, unauthorized data modification or deletion, and potentially, remote code execution, depending on the database configuration.

Reproduction

To reproduce this vulnerability, navigate to the BatchWinnerEntry endpoint and intercept the request. Modify the CurrentFundraiser parameter to include a crafted SQL injection payload, such as one that exploits time-based blind SQL injection by using the SQL SLEEP function. Send the modified request and observe the response delay, which indicates successful exploitation.

Remediation

To address this vulnerability, ChurchCRM should implement prepared statements to prevent SQL injection, validate input to reject harmful characters, apply the principle of least privilege to database users, and ensure that the CurrentFundraiser variable is properly typed before use.