How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This SQL Injection vulnerability in ChurchCRM allows authenticated users with ManageGroups privileges to execute arbitrary SQL commands, potentially leading to unauthorized access, modification, or denial of service of sensitive data.

Such unauthorized access and manipulation of data can result in violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to ensure confidentiality, integrity, and availability.

Therefore, exploitation of this vulnerability could compromise compliance with these standards by exposing or altering protected data without proper authorization.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

This vulnerability is an SQL Injection issue in ChurchCRM versions prior to 7.1.0, specifically in the file src/MemberRoleChange.php. The NewRole POST parameter is used directly in an SQL query without proper integer validation or sanitization.

Authenticated users with the ManageGroups role can exploit this by injecting arbitrary SQL commands through the NewRole parameter. This happens because the input is not properly checked to ensure it is an integer before being concatenated into the SQL query.

Exploitation requires an authenticated session with ManageGroups privileges and knowledge of valid GroupID and PersonID values, which can be obtained from certain pages in the application.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have severe impacts including unauthorized access to data, modification of data, or denial of service.

Because attackers can inject arbitrary SQL commands, they may manipulate the database in unintended ways, potentially compromising confidentiality, integrity, and availability of the system.

The CVSS score of 8.8 indicates a high severity, meaning the impact on confidentiality, integrity, and availability is high if exploited.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to exploit the SQL injection in the NewRole POST parameter of the src/MemberRoleChange.php endpoint while authenticated with ManageGroups privileges.

A proof of concept involves submitting a crafted NewRole value such as '1 or' in a POST request, which causes the server to respond with HTTP 500 errors indicating SQL syntax errors and confirming injection potential.

To detect this on your system, you can use tools like curl or any HTTP client to send a POST request with a malicious NewRole parameter and observe the response.

• Example curl command to test the vulnerability (replace URL, session cookie, GroupID, and PersonID accordingly):
• curl -X POST https://yourchurchcrm.example.com/src/MemberRoleChange.php -H "Cookie: PHPSESSID=your_session_id" -d "NewRole=1 or" -d "GroupID=validGroupID" -d "PersonID=validPersonID"

If the server returns an HTTP 500 error or other SQL error messages, it indicates the presence of the SQL injection vulnerability.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this vulnerability has been fixed by adding proper integer validation or parameterized queries.

Until the upgrade can be performed, restrict access to the ManageGroups role to only trusted users, as exploitation requires authenticated users with this role.

Additionally, monitor logs for unusual HTTP 500 errors or suspicious POST requests to src/MemberRoleChange.php that may indicate exploitation attempts.

Useful 0 Not Useful 0