CVE-2024-25892 in ChurchCRMinfo

Summary

by MITRE • 02/21/2024

ChurchCRM 5.5.0 ConfirmReport.php is vulnerable to Blind SQL Injection (Time-based) via the familyId GET parameter.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 08/14/2024

ChurchCRM version 5.5.0 contains a critical blind sql injection vulnerability in the ConfirmReport.php script that can be exploited through the familyId GET parameter. This vulnerability falls under the CWE-89 category for SQL Injection and represents a time-based blind sql injection attack vector that allows remote attackers to extract data from the underlying database through carefully crafted time delays. The vulnerability occurs when the application fails to properly sanitize user input from the familyId parameter before incorporating it into sql queries, enabling an attacker to manipulate the query execution flow and potentially gain unauthorized access to sensitive information.

The technical exploitation of this vulnerability requires an attacker to send malicious requests containing specially crafted familyId values that trigger time-based sql injection techniques. When the application processes these requests, the sql query execution becomes dependent on the attacker-controlled input, causing deliberate delays in response times that can be measured to extract database information. This type of attack operates entirely through timing mechanisms rather than direct data exfiltration, making it particularly challenging to detect through standard network monitoring tools and requiring sophisticated detection methods to identify.

The operational impact of this vulnerability extends beyond simple data theft to include potential system compromise and unauthorized access to sensitive church member information. ChurchCRM systems typically store confidential data including personal contact information, family details, financial records, and other sensitive personal data that could be targeted by malicious actors. Successful exploitation could lead to complete database compromise, allowing attackers to view, modify, or delete critical information while potentially escalating privileges to gain broader system access. The vulnerability affects organizations using ChurchCRM version 5.5.0 and earlier versions, making it a significant concern for religious organizations that rely on this platform for member management.

Organizations should immediately implement mitigations including input validation and parameterized queries to prevent sql injection attacks. The recommended approach involves sanitizing all user input through proper input validation techniques and implementing prepared statements or parameterized queries that separate sql code from data. Additionally, organizations should consider implementing web application firewalls to detect and block malicious sql injection attempts, conduct regular security assessments to identify similar vulnerabilities, and ensure all systems are updated to the latest stable versions of ChurchCRM. Security monitoring should include detection of unusual time delays in application responses that could indicate active exploitation attempts. The vulnerability demonstrates the importance of proper input sanitization and the critical need for organizations to maintain up-to-date security practices to protect sensitive data. This issue aligns with ATT&CK technique T1071.004 for application layer protocol manipulation and T1190 for exploit for client execution, emphasizing the need for comprehensive security measures across all system layers.

Reservation

02/12/2024

Disclosure

02/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00576

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!