ChurchCRM SQL Injection Vulnerability in ConfirmReportEmail.php Legacy Endpoint

A SQL injection vulnerability has been identified in ChurchCRM, an open-source church management system, in versions prior to 6.5.3. The issue resides in the legacy endpoint '/Reports/ConfirmReportEmail.php', which, despite being removed from the user interface, remains deployed and accessible. This vulnerability allows any authenticated user, regardless of assigned permissions, to exploit SQL injection through the 'familyId' parameter. The vulnerability arises because the endpoint's input is not properly sanitized or validated before being incorporated into a SQL query, leaving it open to injection attacks.

Impact

Exploitation of this vulnerability allows for SQL injection, with the potential for complete database compromise, extraction of sensitive ChurchCRM data, and possible privilege escalation. Depending on SQL functions and configuration, there could also be a risk of remote code execution.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the '/Reports/ConfirmReportEmail.php' endpoint with a crafted 'familyId' parameter that includes SQL injection payloads. The injected SQL is executed, demonstrating the successful exploitation of the vulnerability. For example, a payload that includes a SQL injection technique, such as a time-based blind SQL injection, can be used to verify the vulnerability.

Remediation

Users can upgrade to ChurchCRM version 6.5.3 or later, where this vulnerability has been patched.