ChurchCRM Database Restore Insecure File Upload Vulnerability Leading to Remote Code Execution

A remote code execution vulnerability exists in ChurchCRM versions prior to 6.5.3, due to the Database Restore feature's failure to validate the content or file extension of uploaded files. This oversight allows attackers to upload web shell files, followed by .htaccess files to grant direct access to the web shells. Once the web shell is accessed, it enables remote code execution on the server.

Impact

Exploitation of this vulnerability allows for full remote code execution on the server, with the web shell executing commands under the web server user's privileges. This access level compromises the entire system, allowing attackers to read, modify, or delete application files, including those with sensitive database credentials. Such access could lead to unauthorized changes in user data, financial records, and application configurations. Additionally, the OS-level command execution could be used to exploit local misconfigurations, implant backdoors, or exfiltrate sensitive data, all while potentially staging broader attacks.

Reproduction

To reproduce this vulnerability, upload a web shell file through the Database Restore functionality, which lacks proper validation of file content and extensions. After the web shell is uploaded, add a .htaccess file to the same directory to enable direct access to the web shell. Once the web shell is accessed, it can be used to execute commands on the server remotely.

Remediation

Users can update to ChurchCRM version 6.5.3 or later, where this vulnerability has been patched.