### Key Information #### Vulnerability Overview - **Vulnerability Type**: Path traversal leading to remote code execution - **Affected Product**: ChurchCRM versions <= 5.18.0 - **Disclosure Status**: Reported to vendor, no response received. Possibly fixed in v5.19.0. #### Technical Details - **Vulnerable Location**: `src/ChurchCRM/Backup/RestorerJob.php`, line 43 - **Issue**: User-supplied filename is directly concatenated into file path without validation, allowing arbitrary file upload. #### Attack Chain 1. **Path Traversal**: Upload malicious `.htaccess` file to override Apache PHP execution restrictions. 2. **Configuration Override**: Malicious `.htaccess` enables PHP execution in the upload directory. 3. **Webshell Upload**: Upload PHP webshell via vulnerable endpoint. 4. **Remote Code Execution**: Execute arbitrary commands via uploaded webshell. #### Confirmation Results - Successfully uploaded `.htaccess` file to override security restrictions. - Successfully uploaded and executed PHP webshell. - Remote command execution confirmed via system commands. - Full web server user access to filesystem and application data. #### Mitigation Measures - **Immediate Action**: Restrict backup restoration functionality to trusted administrators only. - **Recommended Vendor Fixes**: - Implement strict filename validation and sanitization. - Use a whitelist for allowed backup file extensions. - Store uploaded files in a non-web-accessible directory. - Implement proper file type validation. - Add CSRF protection to backup restoration endpoint. #### Disclosure Timeline - 2025-08-26: Reported via GitHub Security Advisory. - 2025-10-05: ChurchCRM v5.19.0 released, no security improvements specified. - 2025-10-08: No vendor response; advisory published to coordinate CVE assignment.