ChurchCRM Authentication Bypass Vulnerability in API Endpoint

A critical authentication bypass vulnerability has been identified in ChurchCRM versions through 5.18.0. The issue resides in the API middleware, specifically within the AuthMiddleware function of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php. This vulnerability allows unauthenticated attackers to access protected API endpoints by including the substring 'api/public' in the request URI. The authentication check improperly evaluated the full URI instead of just the path, enabling bypass by adding a query parameter such as '?bypass=api/public'. Exploitation of this flaw could lead to unauthorized access and manipulation of sensitive data, including member records and family relationships, as well as the ability to trigger background jobs, abuse geocoding endpoints, and delete calendar entries where permitted.

Impact

Exploitation of this vulnerability allows for unauthorized access to protected API endpoints, bypassing authentication requirements. This could result in exposure and potential modification of sensitive data, such as member records and family relationships. Additionally, the vulnerability could be exploited to trigger background jobs, abuse geocoding endpoints, and delete calendar entries where allowed.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/api/persons/latest' endpoint without authentication. The response will include the full API payload. To exploit the vulnerability, add the query parameter '?bypass=api/public' to the request. The response will then return HTTP 200 along with the member data, demonstrating the successful bypass of authentication.

Remediation

Users are advised to update to ChurchCRM version 5.18.1 or later, where this vulnerability has been patched.