ChurchCRM Path Traversal Vulnerability in Backup Restore Component Allowing Remote Code Execution

A path traversal vulnerability has been identified in ChurchCRM versions through 5.18.0, specifically within the backup restore functionality. The issue arises in the file 'src/ChurchCRM/Backup/RestoreJob.php', where user-supplied filenames are not properly validated before being used to construct file paths. This lack of validation allows authenticated administrators to manipulate the 'restoreFile' argument, potentially leading to the upload of arbitrary files, such as malicious '.htaccess' files. Once uploaded, these files can be used to override Apache configuration settings, enabling the execution of PHP web shells and resulting in remote code execution on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, executed with the privileges of the web server user. This could lead to a complete compromise of the server, access to all application data including sensitive information about church members, and the potential for installing a persistent backdoor and moving laterally within the network.

Reproduction

To reproduce this vulnerability, an authenticated administrator must upload a malicious '.htaccess' file through the backup restore endpoint. This can be done by sending a POST request to the '/api/database/restore' endpoint, including the '.htaccess' file in the 'restoreFile' parameter. After the '.htaccess' file is successfully uploaded and executes PHP files in the same directory, the administrator can upload a PHP web shell, such as 'webshell.php', which can then be used to execute arbitrary commands on the server.

Remediation

It is recommended to restrict the backup restore functionality to trusted administrators only. ChurchCRM should implement strict filename validation and sanitization, use an allowlist of permitted file extensions for backup files, store uploaded files outside of web-accessible directories, and add Cross-Site Request Forgery (CSRF) protection to backup restore endpoints.