ChurchCRM Remote Code Execution Vulnerability in Setup Wizard

A critical remote code execution vulnerability has been identified in ChurchCRM versions through 5.18.0. This issue arises in the setup wizard, specifically within the file setup/routes/setup.php. The vulnerability allows unauthenticated attackers to inject arbitrary PHP code by manipulating the DB_PASSWORD, ROOT_PATH, and URL parameters. This injected code is then executed on the server, leading to a complete compromise of the web server's user account. The vulnerability exists because user input from the setup form is directly inserted into a PHP configuration file without proper validation. The issue can be exploited remotely, and the vulnerability has been made public.

Impact

Exploitation of this vulnerability allows for pre-authentication remote code execution on the server where ChurchCRM is installed, with the executed code running under the web server's user account. This could lead to a full server compromise, including the execution of arbitrary system commands, and the potential installation of a backdoor for persistent access.

Reproduction

To reproduce this vulnerability, access the ChurchCRM setup wizard without authentication. Once the setup form is loaded, submit a POST request that includes a payload in the DB_PASSWORD parameter, such as a command to be executed on the server. The injected command will be executed with the privileges of the web server user.

Remediation

It is recommended to restrict network access to the setup wizard during the installation process. ChurchCRM should also implement input validation and sanitization for all setup form parameters, use parameterized configuration generation instead of direct string replacement, add CSRF protection and basic rate limiting to setup endpoints, and consider moving sensitive configuration generation to command-line tools.