ChurchCRM Remote Code Execution Vulnerability in Setup Wizard

A remote code execution vulnerability has been identified in ChurchCRM versions prior to 5.21.0. This vulnerability exists in the setup wizard, where user input is directly injected into a PHP configuration file without proper validation. Unauthenticated attackers can exploit this during the installation process, leading to complete server compromise. The injected code is executed on every page load, making this vulnerability particularly severe as it requires no authentication and allows for arbitrary code execution before the application is fully configured.

Impact

Exploitation of this vulnerability allows for pre-authentication remote code execution, leading to complete server compromise. The injected code is executed as the web server user, with potential access to all server files and the ability to move laterally within the system. This vulnerability also allows for the installation of persistent backdoors before the application is configured.

Reproduction

To reproduce this vulnerability, access the setup wizard without authentication. Submit a POST request to the setup endpoint, including a payload in the 'DB_PASSWORD' parameter that injects PHP code, such as a command to be executed. The injected code will be written to the 'Include/Config.php' file, where it will be executed on each page load. After the code is injected, the injected commands can be executed by sending a request to the application with the appropriate parameters.

Remediation

Users should update to ChurchCRM version 5.21.0 or later, where this vulnerability has been patched.