CVE-2024-39304
📋 TL;DR
ChurchCRM versions before 5.9.2 contain an authenticated SQL injection vulnerability in the GetText.php endpoint. Attackers with any valid user account can inject malicious SQL through the EID parameter, potentially compromising the database. This affects all ChurchCRM deployments running vulnerable versions.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential server takeover via SQL injection to RCE chaining.
Likely Case
Unauthorized data access, extraction of sensitive church member information, financial data exposure, and potential data corruption.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database permission restrictions.
🎯 Exploit Status
SQL injection via GET parameter requires minimal technical skill once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.9.2
Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-2rh6-gr3h-83j9
Restart Required: No
Instructions:
1. Backup your ChurchCRM database and files. 2. Download ChurchCRM version 5.9.2 or later from the official repository. 3. Replace the existing installation with the patched version. 4. Verify the GetText.php file contains proper input validation.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to sanitize the EID parameter before processing
Modify GetText.php to validate EID parameter as integer: if(!is_numeric($_GET['EID'])) { die('Invalid input'); }
Web Application Firewall Rule
allBlock SQL injection patterns in requests to GetText.php
WAF rule: Block requests to /GetText.php containing SQL keywords in EID parameter
🧯 If You Can't Patch
- Implement strict database user permissions with read-only access where possible
- Monitor and alert on suspicious database queries from ChurchCRM application
🔍 How to Verify
Check if Vulnerable:
Check if ChurchCRM version is below 5.9.2 in system settings or by examining the application files.Check Version:
Check ChurchCRM admin dashboard or examine version.php file in installation directoryVerify Fix Applied:
Verify ChurchCRM version is 5.9.2 or higher and test the GetText.php endpoint with SQL injection payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual database queries from ChurchCRM application
- Multiple failed login attempts followed by GetText.php access
- SQL error messages in application logs
Network Indicators:
- HTTP GET requests to /GetText.php with SQL keywords in parameters
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND uri_path="/GetText.php" AND (query_string="*SELECT*" OR query_string="*UNION*" OR query_string="*OR*1=1*")🔗 References
- https://github.com/ChurchCRM/CRM/commit/e3bd7bfbf33f01148df0ef1acdb0cf2c2b878b08
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-2rh6-gr3h-83j9
- https://github.com/ChurchCRM/CRM/commit/e3bd7bfbf33f01148df0ef1acdb0cf2c2b878b08
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-2rh6-gr3h-83j9
