📄 ChurchCRM SQL Injection

# CVE-2025-68400: ChurchCRM vulnerable to time-based blind SQL Injection in ConfirmReportEmail.php
    
    ## Overview
    
    | Field | Details |
    |---|---|
    | **CVE ID** | [CVE-2025-68400](https://nvd.nist.gov/vuln/detail/CVE-2025-68400) |
    | **Severity** | CRITICAL |
    | **Advisory** | [View Advisory](https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v54g-2pvg-gvp2) |
    | **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
    
    ## Affected Products
    
    - **ChurchCRM/CRM**
    
    
    
    ## Details
    
    ### Summary
    
    A critical SQL Injection vulnerability exists in the legacy endpoint `/Reports/ConfirmReportEmail.php` in ChurchCRM 6.3.0. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL. This is a classic case of *dead but reachable code*. Any authenticated user - including one with zero assigned permissions - can exploit SQL injection through the `familyId` parameter.
    
    ---
    
    ### Details
    
    The issue is located in:
    
    `src/Reports/ConfirmReportEmail.php`
    
    Vulnerable code (lines 82–83):
    
    ```php
    if (InputUtils::legacyFilterInput($_GET['familyId'], 'int')) {
        $sSubQuery = ' and fam_id in (' . $_GET['familyId'] . ') ';
    }
    ```
    
    Why this is vulnerable:
    
    - The return value of `legacyFilterInput()` is ignored entirely.
    - The raw `$_GET['familyId']` value is concatenated directly into a SQL query.
    - No escaping, quoting, type enforcement, or parameter binding is applied.
    - Because the endpoint is no longer referenced in the UI, it does not benefit from updated framework security controls.
    
    Dead but reachable endpoint:
    
    ```
    /Reports/ConfirmReportEmail.php?familyId=<value>
    ```
    
    Normal behavior:
    
    ```
    302 Redirect → /v2/family/<id>&PDFEmailed=
    ```
    
    Malicious payloads containing `)` or `--` break redirect logic and execute the vulnerable SQL.
    
    Even a user with **zero permissions** can exploit the vulnerability.  
    A `SLEEP(5)` payload reliably delays the response, proving SQL execution.
    
    ---
    
    ### PoC
    
    Authenticated user visits:
    
    ```
    http://localhost:8101/Reports/ConfirmReportEmail.php?familyId=1)%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)%20--%20-
    ```
    <img width="1552" height="757" alt="image" src="https://github.com/user-attachments/assets/cfa6e007-bbb0-41b4-9031-21e89ea7bf2e" />
    
    Observed result:
    
    - Response delayed by ~5 seconds → success.
    - Redirect suppressed.
    - Vulnerable SQL executed.
    
    sqlmap confirmation:
    
    <img width="2369" height="714" alt="image" src="https://github.com/user-attachments/assets/21d54831-8e0e-44e6-86d3-75234d78b40f" />
    
    ---
    
    ### Impact
    
    - Complete database compromise (read/write/delete)
    - Extraction of all sensitive ChurchCRM data
    - Possible privilege escalation
    - Potential for RCE depending on SQL functions and configuration
    - Vulnerable endpoint is reachable despite being removed from UI
    
    ## References
    
    - https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v54g-2pvg-gvp2
    
    
    ## Disclaimer
    
    This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.