ChurchCRM SQL Injection Vulnerability in PropertyAssign.php Prior to 7.1.0

A SQL injection vulnerability exists in ChurchCRM versions through 7.0.5, specifically in the PropertyAssign.php endpoint. Authenticated users with the Manage Groups & Roles and Edit Records privileges can exploit this vulnerability by injecting arbitrary SQL statements through the Value parameter. This exploitation allows them to extract and modify information in the database.

Impact

Exploitation of this vulnerability could lead to a complete compromise of the database, allowing unauthorized read, write, and delete operations. It could also result in the extraction of sensitive ChurchCRM data, potential privilege escalation, and in some cases, remote code execution, depending on the SQL functions available and the system's configuration.

Reproduction

To reproduce this vulnerability, assign a user the Manage Groups & Roles and Edit Records privileges. After logging in as this user, the SQL injection can be performed by sending a POST request to the PropertyAssign.php endpoint with an injected SQL payload in the Value parameter. The injection can be verified by using a tool like sqlmap to extract database information, demonstrating the successful exploitation of the vulnerability.

Remediation

Users are advised to update ChurchCRM to version 7.1.0 or later, where this vulnerability has been fixed.