ChurchCRM Cross-Site Request Forgery Vulnerability in Legacy DELETE Endpoints

A cross-site request forgery (CSRF) vulnerability has been identified in ChurchCRM, an open-source church management system, in versions through 7.2.2. The issue arises from three legacy DELETE endpoints: FundRaiserDelete.php, PropertyTypeDelete.php, and NoteDelete.php. These endpoints allow an attacker to manipulate GET parameters from an external page, leading to the unauthorized deletion of records by a logged-in user with the appropriate role. The vulnerability is exacerbated by the absence of CSRF token validation and the 'SameSite=Lax' cookie setting, which permits cookies to be sent with top-level navigations.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of records through a cross-site GET request. The impact varies by endpoint: FundRaiserDelete.php removes individual fundraiser records; PropertyTypeDelete.php deletes entire property types along with associated properties and record assignments, representing the highest impact; NoteDelete.php removes pastoral notes linked to individuals or families.

Reproduction

The vulnerability can be reproduced by logging into a ChurchCRM account with the necessary permissions for one of the affected DELETE endpoints. After obtaining the session cookie, a cross-site GET request can be sent to one of the legacy DELETE endpoints. The request must include the session cookie and can be enhanced with 'Sec-Fetch' headers to simulate a top-level navigation from an external site. This will trigger the deletion process without the required CSRF token, exploiting the vulnerability.

Remediation

To address this vulnerability, ChurchCRM users should update to version 7.3.2 or later, where the issue has been fixed.