Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL Injection vulnerability in ChurchCRM 4.4.5 via /churchcrm/WhyCameEditor.php #6005

Open
tuando243 opened this issue May 17, 2022 · 2 comments

Comments

@tuando243
Copy link

tuando243 commented May 17, 2022

SQL Injection vulnerability in ChurchCRM 4.4.5 via /churchcrm/WhyCameEditor.php.

Step to exploit:

  1. Login as admin.

  2. Redirect to profile page and click on Edit "Why Came" Notes.
    1

  3. Submit "Why Came" notes and capture request in Burp Suite.
    2

  4. Save request to churchcrm.txt file and run sqlmap for injecting the PersonID parameter: sqlmap -r churchcrm.txt -p PersonID
    3
    4

@PavelBlinnikov
Copy link

Isn't admin allowed to make arbitrary SQL queries using QuerySQL.php?

@MrClever
Copy link
Collaborator

Isn't admin allowed to make arbitrary SQL queries using QuerySQL.php?

Correct. However, we should be sanitising input appropriately on forms etc. Personally, I'm not a huge fan of the QuerySQL.php but it has made some support cases a lot easier - especially when not all admins are comfortable with phpMyAdmin or CLI MySQL tools.

@tuando243 - thanks for the report. I've categorised it as a security bug, but as it requires authenticated access it has limited risk to most setups (except our demo system!).

@DawoudIO DawoudIO added this to the 4.5.1 milestone Aug 30, 2022
@DawoudIO DawoudIO modified the milestones: 4.5.1, Backlog Dec 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants