ChurchCRM SQL Injection Vulnerability in PropertyTypeEditor.php Allowing Data Exfiltration and Modification

A critical SQL injection vulnerability has been identified in ChurchCRM versions prior to 7.1.0. The issue resides in the PropertyTypeEditor.php file, where the Name and Description POST parameters are inadequately sanitized before being directly concatenated into SQL queries. This flaw enables authenticated users with 'Manage Properties' permission to execute arbitrary SQL commands, including unauthorized data access, modification, and deletion. The injected data persists in the database and is displayed across multiple application pages without proper output encoding.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, leading to potential data exfiltration, modification, and deletion. According to the CVSS vector, this vulnerability has a high impact score of 8.6.

Reproduction

To reproduce this vulnerability, log into ChurchCRM with a user account that has 'Manage Properties' permission. Access the PropertyTypeEditor.php page and submit a POST request with crafted Name and Description parameters that include SQL injection payloads. The injected SQL will be executed, demonstrating the vulnerability by, for example, extracting database information or admin credentials.

Remediation

Users are advised to update to ChurchCRM version 7.1.0 or later, where this vulnerability has been fixed.