ChurchCRM Second Order SQL Injection Vulnerability in FundRaiserEditor.php

A second order SQL injection vulnerability exists in ChurchCRM, an open-source church management system, in versions prior to 7.1.0. The vulnerability is located in the FundRaiserEditor.php endpoint, where authenticated users can inject arbitrary SQL statements through the iCurrentFundraiser PHP session parameter. This injection allows users to extract and modify database information. The issue arises because the application improperly sanitizes the FundRaiserID parameter, enabling SQL injection that can be exploited in several other PHP files.

Impact

Exploitation of this vulnerability leads to complete database compromise, allowing read, write, and delete operations. It enables extraction of all sensitive ChurchCRM data, potential privilege escalation, and could allow remote code execution depending on SQL functions and configuration.

Reproduction

To reproduce this vulnerability, log in as an authenticated user. Once logged in, access the FundRaiserEditor.php endpoint and inject SQL payloads through the FundRaiserID parameter. The injected SQL is executed in the context of the application, allowing manipulation of the database. After injecting the SQL, navigate to one of the vulnerable PHP files that concatenate the iCurrentFundraiser session parameter into SQL queries without proper sanitization. The injected SQL can then be exploited, for example, by using SQLmap to automate the extraction of database information.

Remediation

Users should update to ChurchCRM version 7.1.0 or later, where this vulnerability has been fixed.