ChurchCRM SQL Injection Vulnerability in eGive ReImport Feature

A SQL injection vulnerability has been identified in ChurchCRM versions prior to 6.5.3. The issue resides in the eGive.php file within the 'ReImport' functionality. An authenticated user with finance privileges can exploit this vulnerability by manipulating the 'MissingEgive_FamID_...' POST parameter to execute arbitrary SQL queries. This exploitation could lead to unauthorized access, modification, or deletion of data within the database.

Impact

Exploitation of this vulnerability allows an authenticated attacker with finance privileges to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Additionally, depending on the database user's permissions, this could allow for privilege escalation and remote code execution on the server.

Reproduction

To reproduce this vulnerability, log in as a user with finance privileges and navigate to the eGive import page. Initiate an import that results in at least one gift failing due to a missing eGive ID, which will trigger the re-import form. Once the form is displayed, intercept the POST request or craft a new one, and modify the 'MissingEgive_FamID_...' parameter to include a SQL injection payload, such as a time-based blind SQL injection payload. Submit the request and observe the delayed response, indicating successful exploitation.

Remediation

Users can upgrade to ChurchCRM version 6.5.3 or later, where this vulnerability has been patched.