Isn't admin allowed to make arbitrary SQL queries using QuerySQL.php?
Correct. However, we should be sanitising input appropriately on forms etc. Personally, I'm not a huge fan of the QuerySQL.php but it has made some support cases a lot easier - especially when not all admins are comfortable with phpMyAdmin or CLI MySQL tools.
@tuando243 - thanks for the report. I've categorised it as a security bug, but as it requires authenticated access it has limited risk to most setups (except our demo system!).
SQL Injection vulnerability in ChurchCRM 4.4.5 via /churchcrm/WhyCameEditor.php.
Step to exploit:
Login as admin.
Redirect to profile page and click on

Edit "Why Came" Notes.Submit "Why Came" notes and capture request in Burp Suite.

Save request to churchcrm.txt file and run sqlmap for injecting the PersonID parameter:


sqlmap -r churchcrm.txt -p PersonIDThe text was updated successfully, but these errors were encountered: