CRM
CRM copied to clipboard
ChurchCRM
SQL Injection vulnerability in ChurchCRM 4.4.5 via /churchcrm/WhyCameEditor.php
SQL Injection vulnerability in ChurchCRM 4.4.5 via /churchcrm/WhyCameEditor.php.
Step to exploit:
-
Login as admin.
-
Redirect to profile page and click on
Edit "Why Came" Notes.
-
Submit "Why Came" notes and capture request in Burp Suite.
-
Save request to churchcrm.txt file and run sqlmap for injecting the PersonID parameter:
sqlmap -r churchcrm.txt -p PersonID
Isn't admin allowed to make arbitrary SQL queries using QuerySQL.php?
Isn't admin allowed to make arbitrary SQL queries using QuerySQL.php?
Correct. However, we should be sanitising input appropriately on forms etc. Personally, I'm not a huge fan of the QuerySQL.php but it has made some support cases a lot easier - especially when not all admins are comfortable with phpMyAdmin or CLI MySQL tools.
@tuando243 - thanks for the report. I've categorised it as a security bug, but as it requires authenticated access it has limited risk to most setups (except our demo system!).
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
This issue was closed because it has been stalled for 15 days with no activity.