ChurchCRM SQL Injection Vulnerability in Event Editor Allowing Arbitrary SQL Execution

A SQL injection vulnerability has been identified in ChurchCRM versions prior to 6.5.0, specifically within the EventEditor.php file. The issue arises when an authenticated user with event management permissions creates a new event and selects an event type. The EN_tyid POST parameter is not properly sanitized, allowing the user to execute arbitrary SQL queries. This vulnerability has been patched in version 6.5.0.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, which could be used to exfiltrate, modify, or delete database information. This includes sensitive data such as user credentials and financial information.

Reproduction

To reproduce this vulnerability, log in as a user with event management privileges. Navigate to the event editor and select an option from the 'Event Type' dropdown. Intercept the POST request using a proxy tool like Burp Suite. Modify the EN_tyid parameter to include a time-based blind SQL injection payload, such as one that uses the SQL SLEEP function to delay the server's response. Forward the modified request and observe the delayed response, which confirms the vulnerability.

Remediation

Users should update to ChurchCRM version 6.5.0 or later, where this vulnerability has been fixed.