ChurchCRM Database Backup Restore Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in ChurchCRM, an open-source church management system, in versions prior to 7.2.0. The issue arises in the database backup restore functionality, where uploaded archive contents are extracted and files from the Images directory are copied into the web-accessible document root without any file extension filtering. This flaw allows an authenticated administrator to upload a malicious backup archive containing a PHP web shell, which is then written to a publicly accessible path and can be executed via HTTP requests. The vulnerability is exacerbated by the restore endpoint's lack of CSRF token validation, enabling exploitation through cross-site request forgery targeting an authenticated administrator.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the server, with confirmed impacts including arbitrary operating system command execution, exposure of database credentials, lateral movement within the server environment, and a persistent backdoor via the uploaded web shell, which survives application restarts.

Reproduction

To reproduce this vulnerability, an authenticated administrator must upload a crafted .tar.gz backup archive through the ChurchCRM database restore API. The archive must contain a PHP web shell embedded in the Images directory. Once the archive is uploaded, the web shell will be extracted and copied to a publicly accessible directory, such as /Images/Person/ or /Images/Family/. After the restoration process, the web shell can be accessed via HTTP and used to execute commands on the server.

Remediation

Users can update to ChurchCRM version 7.2.0 or later, where this vulnerability has been fixed. Instructions for updating can be found in the ChurchCRM documentation.