ChurchInfo SQL injection
| churchinfo-sql-injection (21647) |  Medium Risk |
Description:
ChurchInfo is vulnerable to SQL injection caused by improper validation of user-supplied input. A remote authenticated attacker could send a specially-crafted SQL statement to the WhyCameEditor.php script using the PersonId parameter, the DepositSlipEditor.php script using the DepositSlipID parameter, the AutoPaymentEditor.php and Canvas05Editor.php script using the FamilyID parameter, and the CanvassEditor.php script which would allow the attacker to add, modify or delete data in the backend database.
Consequences:
Data Manipulation
Remedy:
Upgrade to the latest version of ChurchInfo (1.2.9 or later), available from SourceForge.net. See References.
References:
- BugTraq Mailing List, 2005-08-01 15:04:52: ChurchInfo Multiple Vulnerabilities.
- SourceForge.net: Project: ChurchInfo: Summary.
- BID-14438: ChurchInfo Multiple SQL Injection Vulnerabilities
- CVE-2005-2473: Multiple SQL injection vulnerabilities in ChurchInfo allow remote attackers to execute arbitrary SQL commands via the PersonID parameter to (1) PersonView.php, (2) MemberRoleChange.php, (3) PropertyAssign.php, (4) WhyCameEditor.php, (5) GroupPropsEditor.php, (6) Reports/PDFLabel.php, or (7) UserDelete.php, (8) DepositSlipID parameter to DepositSlipEditor.php, (9) QueryID parameter to QueryView.php, GroupID parameter to (10) GroupView.php, (11) GroupMemberList.php, (12) MemberRoleChange.php, (13) GroupDelete.php, (14) /Reports/ClassAttendance.php, or (15) /Reports/GroupReport.php, (16) PropertyID parameter to PropertyEditor.php, FamilyID parameter to (17) Canvas05Editor.php, (18) CanvasEditor.php, or (19) FamilyView.php, or (20) PledgeID parameter to PledgeDetails.php.
- OSVDB ID: 18408: ChurchInfo Canvas05Editor.php FamilyID Variable SQL Injection
- OSVDB ID: 18409: ChurchInfo CanvasEditor.php FamilyID Variable SQL Injection
- OSVDB ID: 18410: ChurchInfo ClassAttendance.php GroupID Variable SQL Injection
- OSVDB ID: 18411: ChurchInfo DepositSlipEditor.php DepositSlipID Variable SQL Injection
- OSVDB ID: 18412: ChurchInfo FamilyView.php FamilyID Variable SQL Injection
- OSVDB ID: 18413: ChurchInfo GroupDelete.php GroupID Variable SQL Injection
- OSVDB ID: 18414: ChurchInfo GroupMemberList.php GroupID Variable SQL Injection
- OSVDB ID: 18415: ChurchInfo GroupPropsEditor.php PersonID Variable SQL Injection
- OSVDB ID: 18416: ChurchInfo GroupReport.php GroupID Variable SQL Injection
- OSVDB ID: 18417: ChurchInfo GroupView.php GroupID Variable SQL Injection
- OSVDB ID: 18418: ChurchInfo MemberRoleChange.php Multiple Variable SQL Injection
- OSVDB ID: 18419: ChurchInfo PDFLabel.php PersonID Variable SQL Injection
- OSVDB ID: 18420: ChurchInfo PersonView.php PersonID Variable SQL Injection
- OSVDB ID: 18421: ChurchInfo PledgeDetails.php PledgeID Variable SQL Injection
- OSVDB ID: 18422: ChurchInfo PropertyAssign.php PersonID Variable SQL Injection
- OSVDB ID: 18423: ChurchInfo PropertyEditor.php PropertyID Variable SQL Injection
- OSVDB ID: 18424: ChurchInfo QueryView.php Multiple Variable SQL Injection
- OSVDB ID: 18427: ChurchInfo UserDelete.php PersonID Variable SQL Injection
- OSVDB ID: 18428: ChurchInfo WhyCameEditor.php PersonID Variable SQL Injection
- SA16292: ChurchInfo SQL Injection Vulnerabilities
- SECTRACK ID: 1014617: ChurchInfo Input Validation Holes Permit SQL Injection
Platforms Affected:
- ChurchInfo ChurchInfo 1.2.2
Reported:
Aug 02, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net