CVE-2021-3164
📋 TL;DR
CVE-2021-3164 allows authenticated users in ChurchRota to upload and execute arbitrary files via a POST request to resources.php, even without file upload permissions. This enables remote code execution on the server. All ChurchRota 2.6.4 installations with authenticated users are affected.
💻 Affected Systems
- ChurchRota
📦 What is this software?
Churchrota by Churchdesk
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attacker to execute arbitrary commands, access sensitive data, install malware, or pivot to other systems.
Likely Case
Attacker gains shell access to the web server, potentially accessing database credentials, user data, and modifying application functionality.
If Mitigated
Limited impact if proper network segmentation, least privilege, and monitoring are in place to contain the breach.
🎯 Exploit Status
Exploit requires authenticated user credentials but is trivial to execute once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.5 or later
Vendor Advisory: https://github.com/Little-Ben/ChurchRota
Restart Required: No
Instructions:
1. Backup your ChurchRota installation and database. 2. Download the latest version from the official GitHub repository. 3. Replace the vulnerable files with the patched version. 4. Verify the resources.php file has proper file upload validation.
🔧 Temporary Workarounds
Restrict access to resources.php
allBlock or restrict access to the vulnerable endpoint via web server configuration.
# Apache: Add to .htaccess
<Files "resources.php">
Order Deny,Allow
Deny from all
</Files>
# Nginx: Add to server block
location ~ /resources\.php$ {
deny all;
}
Implement WAF rules
allAdd web application firewall rules to block suspicious file uploads to resources.php.
# ModSecurity example
SecRule REQUEST_FILENAME "@endsWith resources.php" \
"id:1001,phase:2,deny,msg:'Blocking ChurchRota RCE attempt'"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ChurchRota server from critical systems.
- Enforce strong authentication controls and monitor for suspicious user activity.
🔍 How to Verify
Check if Vulnerable:
Check if ChurchRota version is 2.6.4 by examining the application files or checking the admin interface.Check Version:
grep -r "version\|Version" /path/to/churchrota/ | grep -i "2.6"Verify Fix Applied:
Verify the ChurchRota version is 2.6.5 or later and test that file uploads to resources.php are properly validated.📡 Detection & Monitoring
Log Indicators:
- POST requests to resources.php with file upload parameters
- Unusual file creation in web directories
- Suspicious process execution from web server user
Network Indicators:
- HTTP POST requests to /resources.php with file upload content
- Outbound connections from web server to unknown IPs
SIEM Query:
source="web_logs" AND uri="/resources.php" AND method="POST" AND (file_upload="true" OR contains(content_type, "multipart/form-data"))