ChurchCRM SQL Injection Vulnerability in PropertyTypeEditor.php Prior to 7.1.0

A SQL injection vulnerability has been identified in ChurchCRM versions 6.3.0 through 7.0.5. The issue resides in PropertyTypeEditor.php, within the administration features for managing property type categories. The vulnerability was introduced when the input sanitization function legacyFilterInput(), which both removed HTML and escaped SQL, was replaced by sanitizeText(), which only removes HTML. This change allowed user-provided data in the Name and Description fields to be directly concatenated into SQL INSERT and UPDATE queries without proper escaping. As a result, any authenticated user with the MenuOptions role could execute time-based blind SQL injection, exfiltrating data from the database, including password hashes of all users.

Impact

Exploitation of this vulnerability allows authenticated users with the MenuOptions role to fully compromise the ChurchCRM database. This includes extracting all user accounts and password hashes, accessing sensitive personal records such as names, addresses, and donation histories, and modifying or deleting arbitrary database entries. Additionally, the extracted password hashes could be cracked offline to gain administrative access.

Reproduction

To reproduce this vulnerability, log in as an authenticated user with the MenuOptions role. Navigate to PropertyTypeEditor.php and enter a payload in the Name field that exploits the SQL injection, such as a crafted string that includes SQL injection syntax. After saving, the injection can be verified by observing the application's response time, which should indicate successful exploitation. Once confirmed, the same injection technique can be used to exfiltrate data by, for example, injecting a SQL query that retrieves password hashes from the database.

Remediation

Users are advised to update to ChurchCRM version 7.1.0, where this vulnerability has been fixed.