ChurchInfo Multiple Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: ChurchInfo Multiple Vulnerabilities
From: thegreatone2176@xxxxxxxxx
Date: 1 Aug 2005 15:04:52 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

----------------------------------
ChurchInfo Multiple Vulnerabilities
----------------------------------

ChurchInfo is affected by mutliple path disclosures and sql injections.

Vulnerabilties
--------------

1) The "PersonID" parameter on the following pages are vulnerable to sql 
injection and path disclosure.

PersonView.php
MemberRoleChange.php
PropertyAssign.php
WhyCameEditor.php
GroupPropsEditor.php
Reports/PDFLabel.php
UserDelete.php - First page gives path disclosure, then when you click yes you 
have sql injection

2) When an invalid "Number" parameter only the following pages is given a 
divide by zero error is produced resulting in path disclosure.

SelectList.php
SelectDelete.php

3) The "DepositSlipID" parameter on the following page is vulnerable to sql 
injection and path disclosure.

DepositSlipEditor.php

3) The "QueryID" parameter on the following page is vulnerable to sql injection 
and path disclosure. 

QueryView.php

Also specific ids are vulnerable to sql injection.

QueryID?id=18 The search box is vulnerable to sql injection.
QueryID?id=19 An sql injection can be performed by editing the html source of 
the form.

There is about 5 more forms in this section where you can potenially edit the 
form, and inject but I did not test each one so I did not list them.

4) The "GroupID" parameter on the following pages are vulnerable to sql 
injection and path disclosure.

GroupView.php
GroupMemberList.php
MemberRoleChange.php
GroupDelete.php
/Reports/ClassAttendance.php
/Reports/GroupReport.php

5) The "GroupID" parameter on the following pages produces path disclosure when 
invalid input is given.

GroupPropsFormRowOps.php
/Reports/ClassAttendance.php
/Reports/ClassList.php
ConfirmLabels.php
/DirectoryReport.php
/Reports/NewsLetterLabels.php

6) The "PropertyID" parameter on the following page is vulnerable to sql 
injection and path disclosure. 

PropertyEditor.php

7) The "FamilyID" parameter on the following pages are vulnerable to sql 
injection and path disclosure.

Canvas05Editor.php 
CanvasEditor.php
FamilyView.php

8) The "PledgeID" parameter on the following pages are vulnerable to sql 
injection and path disclosure.

PledgeDetails.php

Misc
Many of the pages produced extract() errors when bogus input was fed leading to 
path disclosure.
A few pages also produced path disclosures when directly accessed. Also some 
pages when directly accessed gave an sql error about an empty parameter, but 
were not exploitable when the parameter was given. Since this is an open source 
product you can simply view the queries from the source, but if it was closed 
source this could help to determine table structure and queries.

Solution
--------
Properly cleansing user input before processing would eliminate all these 
errors.

Credit
------
thegreatone2176

Greets
------
Elohimus and pureone

Prev by Date: [SECURITY] [DSA 771-1] New pdns packages fix denial of service
Next by Date: TSLSA-2005-0038 - multi
Previous by thread: [SECURITY] [DSA 771-1] New pdns packages fix denial of service
Next by thread: TSLSA-2005-0038 - multi
Index(es):
- Date
- Thread