ChurchCRM SQL Injection Vulnerability in Event Type Editor

A SQL injection vulnerability has been identified in ChurchCRM versions through 7.0.5, specifically in the EditEventTypes.php file, which is accessible only to administrators. The vulnerability arises because the EN_tyid POST parameter is not properly sanitized before being incorporated into a SQL query. This oversight allows administrators to execute arbitrary SQL commands against the database. The issue has been resolved in version 7.1.0.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, providing direct, unfiltered access to the database. This could enable an attacker to bypass application-level security and logging, exfiltrate the entire database, or escalate privileges from the database user to the operating system user, potentially leading to a full server compromise.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the 'Event Types' management page. Intercept the POST request to EditEventTypes.php using a proxy tool like Burp Suite. Modify the EN_tyid parameter to include a time-based blind SQL injection payload, such as one that uses a SQL injection technique to delay the server response. Forward the modified request, and the delayed response will confirm the successful execution of the injected SQL command.

Remediation

Users can upgrade to ChurchCRM version 7.1.0 or later to address this vulnerability.