EcclesiaCRM SQL Injection Vulnerability in Query View

A SQL injection vulnerability has been identified in EcclesiaCRM versions through 8.0.0. The issue arises in the ValidateInput() function's default case, where user-supplied POST parameters are directly inserted into SQL queries without proper sanitization. This flaw allows SQL injection through query parameters that utilize non-standard validation types. The vulnerability is a result of an incomplete fix for a previous SQL injection issue.

Impact

Exploitation of this vulnerability allows authenticated users to inject arbitrary SQL into queries, potentially leading to unauthorized data access, data modification, or database manipulation, such as dropping tables.

Reproduction

To reproduce this vulnerability, an authenticated user must access the Query View feature and provide a query parameter with a non-standard validation type. The ValidateInput() function will process the parameter without sanitization, allowing for SQL injection through the ProcessSQL() function, which replaces parameter placeholders in SQL query templates with the unsanitized user-provided values.

Remediation

The vulnerability has been partially addressed by applying InputUtils::LegacyFilterInput() to the default case in the ValidateInput() function. However, this blocklist-based filter may not effectively catch all SQL injection vectors. It is recommended to replace the str_replace() function in ProcessSQL() with PDO prepared statements that use :alias placeholders. If modifying the SQL template is too disruptive, at the very least, use the PDO quote() method on all substituted values.