ChurchCRM Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in ChurchCRM versions prior to 6.5.3. This issue allows attackers to send crafted URLs in the Referer header, which the server then uses to make outbound HTTP or HTTPS requests to arbitrary domains. The vulnerability was confirmed through Out-of-Band Application Security Testing (OAST).

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal services, cloud metadata endpoints, or loopback addresses from the application server's network context. This could result in the exposure of sensitive data from internal HTTP services, use of the server as a proxy for port scanning or attacks against non-exposed systems, and potential integrity or availability impacts depending on the targets reached.

Reproduction

To reproduce this vulnerability, send a request to any route that accesses the DonationFundEditor.php file. Include a crafted Referer header that contains a URL pointing to an attacker-controlled domain. The server will then make an outbound request to the URL specified in the Referer header, demonstrating the SSRF vulnerability.

Remediation

If arbitrary external requests are not intended, implement an allow-list for permitted schemes, hosts, and ports for server-side fetches. Enforce scheme restrictions to allow only HTTPS, canonicalize URLs, and block IP literals, private or loopback hostnames, and non-standard ports. Use DNS pinning or resolve-then-connect with checks to prevent DNS rebinding, and avoid fetching untrusted URLs from request headers. If some external interactions are necessary, restrict egress from the application network to required destinations only, block access to internal address ranges, and harden the server to protect services bound to loopback.