CVE-2023-38767 – This SQL injection vulnerability in ChurchCRM v... (How to Fix)

Q: What is the severity of CVE-2023-38767?

CVE-2023-38767 has a CVSS score of 7.5 (HIGH). This SQL injection vulnerability in ChurchCRM v5.0.0 allows remote attackers to execute arbitrary SQL commands via the 'value' and 'custom' parameters in QueryView.php. Attackers can potentially access, modify, or delete sensitive database information. All organizations running ChurchCRM v5.0.0 are affected.

📋 TL;DR

This SQL injection vulnerability in ChurchCRM v5.0.0 allows remote attackers to execute arbitrary SQL commands via the 'value' and 'custom' parameters in QueryView.php. Attackers can potentially access, modify, or delete sensitive database information. All organizations running ChurchCRM v5.0.0 are affected.

💻 Affected Systems

Products:

ChurchCRM

Versions: v5.0.0

Operating Systems: All platforms running ChurchCRM

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of ChurchCRM v5.0.0 are vulnerable regardless of configuration.

📦 What is this software?

Churchcrm by Churchcrm

View all CVEs affecting Churchcrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including exfiltration of sensitive personal data, financial information, and administrative credentials, potentially leading to full system takeover.

🟠

Likely Case

Unauthorized access to sensitive church member data, financial records, and personal information stored in the database.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting unauthorized queries.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via web interface without authentication.

🏢 Internal Only: MEDIUM - Internal users could exploit this to escalate privileges or access unauthorized data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are well-understood and easily weaponized with automated tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.0.1 or later

Vendor Advisory: https://github.com/ChurchCRM/CRM/wiki

Restart Required: No

Instructions:

1. Backup your ChurchCRM database and files
2. Download the latest version from ChurchCRM GitHub repository
3. Replace the vulnerable QueryView.php file with the patched version
4. Verify the fix by testing the vulnerable parameters

🔧 Temporary Workarounds

Input Validation Filter

all

Implement input validation to sanitize 'value' and 'custom' parameters before processing

# Add parameter validation in QueryView.php
# Example: $value = mysqli_real_escape_string($connection, $_GET['value']);
# Example: $custom = filter_var($_GET['custom'], FILTER_SANITIZE_STRING);

Web Application Firewall Rule

linux

Block SQL injection patterns targeting QueryView.php parameters

# ModSecurity rule example:
SecRule ARGS_GET:"(value|custom)" "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

Implement strict input validation and parameterized queries in QueryView.php
Restrict database user permissions to read-only for the application account

🔍 How to Verify

Check if Vulnerable:

Test QueryView.php with SQL injection payloads in 'value' and 'custom' parameters: /QueryView.php?value=1' OR '1'='1

Check Version:

Check ChurchCRM version in admin panel or review version.php file

Verify Fix Applied:

Attempt SQL injection tests after patching; successful queries should return error messages or no data instead of executing SQL commands

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple failed login attempts following SQL injection patterns
Unusual database queries from web application user

Network Indicators:

HTTP requests to QueryView.php with SQL keywords in parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/QueryView.php" AND (param="value" OR param="custom") AND (keywords="UNION" OR keywords="SELECT" OR keywords="INSERT" OR keywords="DELETE")

📊 Metadata

CVE ID: CVE-2023-38767

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

Published: August 8, 2023

Last Updated: November 21, 2024

🔗 References

https://churchcrm.io/ Product
https://demo.churchcrm.io/master Broken Link
https://github.com/0x72303074/CVE-Disclosures Third Party Advisory
https://github.com/ChurchCRM/CRM/wiki Product
https://churchcrm.io/ Product
https://demo.churchcrm.io/master Broken Link
https://github.com/0x72303074/CVE-Disclosures Third Party Advisory
https://github.com/ChurchCRM/CRM/wiki Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38767, you might also want to check these: