ChurchCRM Cross-Site Request Forgery Vulnerability in UserEditor.php Allowing Privilege Escalation

A cross-site request forgery (CSRF) vulnerability has been identified in ChurchCRM versions prior to 7.3.2. The issue arises in UserEditor.php, where user account creation and permission updates are processed solely through $_POST parameters, lacking any CSRF token validation. This flaw enables an unauthenticated attacker to craft a malicious HTML page that, when accessed by an authenticated administrator, discreetly elevates the privileges of low-privilege users to full administrators or creates a new admin backdoor account, all without the victim's awareness.

Impact

Exploitation of this vulnerability allows for unauthorized elevation of user privileges, granting full administrative rights to low-privilege users. Additionally, it enables the creation of backdoor admin accounts, with credentials sent to an attacker-controlled email address, according to the self-registration flow.

Reproduction

To reproduce this vulnerability, an attacker must first identify a valid PersonID of a low-privilege user account. This can be done by registering a new account through the public API or by enumerating existing accounts via the people API. Once a PersonID is obtained, the attacker can create a malicious HTML page that automatically submits a form to UserEditor.php, including the PersonID and the necessary parameters to elevate the user's privileges or create a backdoor admin account. The crafted page must be hosted and then visited by an authenticated administrator.

Remediation

Users are advised to update to ChurchCRM version 7.3.2 or later, where this vulnerability has been fixed.