SecurityTracker: ChurchInfo Input Validation Holes Permit SQL Injection

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > ChurchInfo

Vendors: Churchdb.org

ChurchInfo Input Validation Holes Permit SQL Injection

SecurityTracker Alert ID: 1014617

SecurityTracker URL: http://securitytracker.com/id/1014617

CVE Reference: CVE-2005-2473, CVE-2005-2474 (Links to External Site)

Updated: Jun 8 2008

Original Entry Date: Aug 3 2005

Impact: Disclosure of system information, Disclosure of user information, User access via network

Exploit Included: Yes

Description: Several input validation vulnerabilities were reported in ChurchInfo. A remote user can inject SQL commands on the target system.

The software does not properly validate user-supplied input. A remote user can supply specially crafted parameter values to execute SQL commands on the underlying database.

The "PersonID" parameter on the following pages is vulnerable.

PersonView.php
MemberRoleChange.php
PropertyAssign.php
WhyCameEditor.php
GroupPropsEditor.php
Reports/PDFLabel.php
UserDelete.php

A remote user can supply an invalid "Number" parameter on the following pages to cause the system to disclose the path.

SelectList.php
SelectDelete.php

The "DepositSlipID" parameter on the DepositSlipEditor.php page is vulnerable to sql injection and path disclosure.

The "QueryID" parameter on the QueryView.php page is vulnerable to sql injection and path disclosure.

The "GroupID" parameter on the following pages is vulnerable.

GroupView.php
GroupMemberList.php
MemberRoleChange.php
GroupDelete.php
/Reports/ClassAttendance.php
/Reports/GroupReport.php

The "GroupID" parameter on the following pages is vulnerable.

GroupPropsFormRowOps.php
/Reports/ClassAttendance.php
/Reports/ClassList.php
ConfirmLabels.php
/DirectoryReport.php
/Reports/NewsLetterLabels.php

The "PropertyID" parameter on the PropertyEditor.php page is vulnerable.

The "FamilyID" parameter on the following pages is vulnerable.

Canvas05Editor.php
CanvasEditor.php
FamilyView.php

The "PledgeID" parameter on the PledgeDetails.php page is vulnerable.

thegreatone2176 reported these vulnerabilities.

Impact: A remote user can execute SQL commands on the underlying database.

Solution: No solution was available at the time of this entry.

Vendor URL: www.churchdb.org (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Message History: None.

Source Message Contents

Date: Mon, 01 Aug 2005 15:04:52 +0000
Subject: ChurchInfo Multiple Vulnerabilities

----------------------------------
ChurchInfo Multiple Vulnerabilities
----------------------------------

ChurchInfo is affected by mutliple path disclosures and sql injections.

Vulnerabilties
--------------

1) The "PersonID" parameter on the following pages are vulnerable to sql injection and path disclosure.

PersonView.php
MemberRoleChange.php
PropertyAssign.php
WhyCameEditor.php
GroupPropsEditor.php
Reports/PDFLabel.php
UserDelete.php - First page gives path disclosure, then when you click yes you have sql injection

2) When an invalid "Number" parameter only the following pages is given a divide by zero error is produced resulting in path disclosure.

SelectList.php
SelectDelete.php

3) The "DepositSlipID" parameter on the following page is vulnerable to sql injection and path disclosure.

DepositSlipEditor.php

3) The "QueryID" parameter on the following page is vulnerable to sql injection and path disclosure.

QueryView.php

Also specific ids are vulnerable to sql injection.

QueryID?id=18 The search box is vulnerable to sql injection.
QueryID?id=19 An sql injection can be performed by editing the html source of the form.

There is about 5 more forms in this section where you can potenially edit the form, and inject but I did not test each one so I did
not list them.

4) The "GroupID" parameter on the following pages are vulnerable to sql injection and path disclosure.

GroupView.php
GroupMemberList.php
MemberRoleChange.php
GroupDelete.php
/Reports/ClassAttendance.php
/Reports/GroupReport.php

5) The "GroupID" parameter on the following pages produces path disclosure when invalid input is given.

GroupPropsFormRowOps.php
/Reports/ClassAttendance.php
/Reports/ClassList.php
ConfirmLabels.php
/DirectoryReport.php
/Reports/NewsLetterLabels.php

6) The "PropertyID" parameter on the following page is vulnerable to sql injection and path disclosure.

PropertyEditor.php

7) The "FamilyID" parameter on the following pages are vulnerable to sql injection and path disclosure.

Canvas05Editor.php
CanvasEditor.php
FamilyView.php

8) The "PledgeID" parameter on the following pages are vulnerable to sql injection and path disclosure.

PledgeDetails.php

Misc
Many of the pages produced extract() errors when bogus input was fed leading to path disclosure.
A few pages also produced path disclosures when directly accessed. Also some pages when directly accessed gave an sql error about
an empty parameter, but were not exploitable when the parameter was given. Since this is an open source product you can simply view
the queries from the source, but if it was closed source this could help to determine table structure and queries.

Solution
--------
Properly cleansing user input before processing would eliminate all these errors.

Credit
------
thegreatone2176

Greets
------
Elohimus and pureone

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC