DAcodedBEAT
commented
8 months ago @0xIapetus Can you please check your PHP version (PHP 7.4 hasn't been supported since ChurchCRM 5.0.3) so I am unsure how you are running the latest code
Closed 0xIapetus closed 4 months ago
DAcodedBEAT
commented
8 months ago @0xIapetus Can you please check your PHP version (PHP 7.4 hasn't been supported since ChurchCRM 5.0.3) so I am unsure how you are running the latest code
0xIapetus
commented
8 months ago Excuse me for the inconvenience ( It was a mistake from copy-paste). The php version was 8.3.2, This has been tested on several versions and also the one git cloned/forked from github (5.5.0).
0xIapetus
commented
8 months ago @DAcodedBEAT I hope you are well, I would like to ask, if the CVEs acquisition for the vulnerabilities will be done by your side ( I have provided the required information from my side in each and every description). Thanks for your time !
github-actions[bot]
commented
7 months ago This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
DAcodedBEAT
commented
7 months ago Hello @0xIapetus , thanks again for uncovering these vulnerabilities and sorry for the delay!
Since this is a volunteer project and I haven't had much time to do administration work for it (and would much rather fix the uncovered issues when I have my few free cycles), I won't be able to do the CVE acquisition (also I'm unsure what procedure would be to even do this to be completely honest).
0xIapetus
commented
6 months ago Hello @DAcodedBEAT CVE's have been assigned CVE-2024-25891-98 Thanks !
If you have the ChurchCRM software running, please file an issue using the Report an issue in the help menu.
On what page in the application did you find this issue? GroupList.php
On what type of server is this running? Dedicated / Shared hosting? Linux / Windows? Linux
What browser (and version) are you running? Firefox
What version of PHP is the server running? 8.3.2
What version of SQL Server are you running? 11.2.2
What version of ChurchCRM are you running? 5.5.0
Severity: high
Credits : Georgios Bitounis
Description: A stored XSS was found in the ChurchCRM v.5.5.0 functionality, Add New group, where malicious JS or HTML code can be inserted as the name of the new group in the endpoint GroupList.php.
The interesting part of this xss is that it also breaks the functionality of the page, as some parts of the web page dont render. The application becomes almost unusable from the UI. XSS in general allows attackers to steal sensitive information ( for example cookies), hijack user sessions, or perform other malicious operations on behalf of the victim. This vulnerability is caused by the lack of effective encoding processing of input and output in the background.
Impact: Stored XSS (also known as second-order or persistent XSS) is a type of cross-site scripting attack in which the malicious code is permanently stored on the server and delivered to every user who accesses the affected page. The attacker typically injects the malicious code, such as JavaScript or HTML, into a form field or other input field that is stored in a database or other data storage location. When the victim accesses the page containing the stored malicious code, the code is executed in the victim's browser, allowing the attacker to steal sensitive information, hijack user sessions, or perform other malicious actions on behalf of the victim. If we consider that this vulnerability actually breaks the UI functionality the severity can be characterized as high.
Affected Component: /churchcrm/GroupList.php
Technical Details: The vulnerability is caused by the failure of the backend to effectively validate user input. An attacker can insert malicious js code and store it in the database, allowing the attacker to steal sensitive information, hijack user sessions, or perform other malicious operations on behalf of the victim.
Proof of Concept (PoC):
<script>alert(document.cookie)</script>Remediation: 1.Input validation: All user input should be validated on the server-side to ensure that it conforms to the expected format and does not contain any malicious code. Input validation should be performed on both client-side and server-side, and should be designed to detect and block any attempts to inject scripts or other malicious content. 2.Output encoding: All data that is displayed on a web page should be properly encoded to prevent script injection. This includes data stored in a database or other data storage location, as well as data that is passed between pages or included in page templates. Proper encoding can include HTML entity encoding, URL encoding, or JavaScript escaping, depending on the specific context and data being displayed.