Ecclesia CRM SQL Injection Vulnerability in Query Viewer Component
Vulnerability
A critical SQL injection vulnerability exists in Ecclesia CRM versions prior to 8.0.0, specifically within the Query Viewer component. The issue arises in the ValidateInput function of the /v2/query/view/ endpoint, where user-supplied parameters are improperly sanitized before being incorporated into SQL query templates. This flaw allows authenticated users to inject arbitrary SQL commands, potentially leading to unauthorized data access, including sensitive information from the database such as administrative credentials and personal member records. Additionally, the application inadvertently discloses the full SQL query execution in HTML comments, which could aid attackers in refining their exploitation techniques.
Impact
Exploitation of this vulnerability allows for full database access, including extraction of administrative usernames and password hashes, as well as personal member information, financial records, and pastoral notes. Depending on the database user permissions, there may also be the ability to modify or delete records. Furthermore, the vulnerability could disrupt database availability through the execution of heavy queries or data deletion.
Reproduction
To reproduce this vulnerability, an authenticated user must access the Query Viewer component and navigate to the /v2/query/view/200 endpoint. Once there, the custom parameter can be manipulated to include SQL injection payloads, such as a UNION-based injection, to extract data from the database. The injected SQL commands can be crafted to bypass the application's query logic and access sensitive information, taking advantage of the application's SQL query construction method, which uses insecure string substitution.
Remediation
Users are advised to update to Ecclesia CRM version 8.0.0 or later, where this vulnerability has been addressed. For those using earlier versions, it is recommended to implement input validation measures to sanitize query parameters and prevent SQL injection attacks.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.