EcclesiaCRM SQL Injection Vulnerability in Query Viewer Component

A SQL injection vulnerability has been identified in EcclesiaCRM versions prior to 8.0.0. The issue resides in the Query Viewer component, specifically within the file v2/templates/query/queryview.php. The vulnerability allows authenticated users to inject arbitrary SQL commands through the custom and value parameters, bypassing normal query logic. This exploitation can lead to unauthorized access to sensitive database information, including personal member details, financial records, and administrative credentials.

Impact

Exploitation of this vulnerability allows for full database access, with the potential to exfiltrate sensitive information, modify or delete records depending on database user permissions, and disrupt database availability through heavy queries or data deletion.

Reproduction

To reproduce this vulnerability, an authenticated user with access to the Query Viewer component can send a POST request to the endpoint v2/query/view/200. The request must include a crafted payload in the custom parameter that exploits the SQL injection vulnerability, such as a UNION-based injection to extract data from the database.

Remediation

Users are advised to update to EcclesiaCRM version 8.0.0 or later, where this vulnerability has been fixed. For those using earlier versions, it is recommended to avoid granting database query access rights to users.