ChurchCRM SQL Injection Vulnerability in User Editor Allowing Arbitrary Database Commands

A SQL injection vulnerability has been identified in ChurchCRM versions prior to 6.5.3, specifically in the User Editor feature. The issue arises because the keys of the 'type' POST parameter array are not properly sanitized before being used in SQL queries. This flaw allows a malicious or compromised administrator to execute arbitrary SQL commands, including time-based blind SQL injection, directly interacting with the database. Exploitation could lead to unauthorized data manipulation or deletion, and potentially further system compromise, depending on the database configuration and user privileges.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command execution, with the potential to manipulate, exfiltrate, or delete all database information, including user credentials and financial records. Additionally, it could lead to further system compromise, such as writing files to the server, based on the database's configuration and user rights.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the User List. Select any user to edit, which will take you to the User Editor page. Intercept the POST request using a proxy tool like Burp Suite. Modify the request body to inject a SQL payload into the key of a 'type' parameter array element. For example, add a parameter that includes a SQL injection payload, such as one that uses the SQL 'SLEEP' function to demonstrate the injection. Forward the modified request and observe the delayed server response, indicating successful exploitation.

Remediation

Users can update to ChurchCRM version 6.5.3 or later, where this vulnerability has been patched.