ChurchCRM Family Record Deletion Vulnerability Allowing Cross-Site Request Forgery

A vulnerability in ChurchCRM's family record deletion process has been identified, affecting versions prior to 7.2.0. The issue arises in the SelectDelete.php file, where the deletion endpoint allows for permanent removal of family records through a standard GET request. This process lacks proper Cross-Site Request Forgery (CSRF) protection, enabling an attacker to create a malicious page that, when accessed by an authenticated administrator, automatically deletes targeted family records along with associated notes, pledges, persons, property data, and photo files. The vulnerability has been patched in version 7.2.0, which removes the GET-based deletion method and replaces it with a more secure API endpoint that includes CSRF protection.

Impact

Exploitation of this vulnerability leads to the unauthorized and irreversible deletion of family records and all related data, including notes, pledges, member persons, property information, and photo files.

Reproduction

To reproduce this vulnerability, send a GET request to SelectDelete.php with the 'FamilyID' parameter set to the ID of the family record to be deleted, along with the 'Confirmed' parameter set to '1'. This request can be made manually or through a crafted webpage that automates the process, such as one that uses JavaScript to send the request when loaded.

Remediation

Users can update to ChurchCRM version 7.2.0 or later, where this vulnerability has been fixed.