CVE-2021-43258: Beware of Remote Code Execution Through Insecure Uploads in ChurchInfo 1.3.

Introduction: Security vulnerabilities are a constant threat to web applications, and the ChurchInfo 1.3. app is no exception. The ChurchInfo app is a popular open-source church management software that aims to help churches track membership, activities, and donation records, among other things.

In this write-up, we will discuss a newly discovered vulnerability (CVE-2021-43258) in ChurchInfo 1.3. where attackers can exploit insecure uploads to achieve remote code execution. We’ll also walk through the exploit details, provide a code snippet to demonstrate the issue, and share links to original references for further study.

The Vulnerability: CVE-2021-43258

The vulnerability in question, CVE-2021-43258, affects a file named "CartView.php" in the ChurchInfo 1.3. application. This vulnerability allows an attacker to execute remote code on the server hosting the application, potentially resulting in unauthorized access to sensitive information or even control of the server itself.

However, there is a catch: to exploit this vulnerability, an attacker needs authenticated access to the ChurchInfo app.

Exploit Details

Once an attacker has authenticated access, they can add names to their cart and compose an email. The email functionality has an attachments feature, which lets users upload files to include as attachments.

Here’s the code snippet where the vulnerability lies

if (isset($_FILES['attach'])) {
  $attach = $_FILES['attach'];
  $sTmpFile = date('YmdHis') . $attach['name'];
  move_uploaded_file($attach['tmp_name'], 'tmp_attach/' . $sTmpFile);
  $sFullFile = 'tmp_attach/' . $sTmpFile;
}

The problem with this code is that there are no limitations on the types of files that can be attached. This means that an attacker can upload malicious PHP code as an attachment, which will end up in the "/tmp_attach/" folder of the application.

Once the malicious code file is uploaded and stored, all the attacker needs to do is send a GET request to the file's location like this:

http://example.com/tmp_attach/malicious_code.php

The server interprets and executes the malicious PHP code, giving the attacker remote code execution capabilities.

Mitigation and Original References

To mitigate this vulnerability, developers should introduce proper validation and secure handling of uploaded files, such as restricting the allowed file types and performing server-side checks on the uploaded files.

For more information on this vulnerability and its associated research, please consult the original references:

1. CVE-2021-43258 entry on the CVE List
2. Detailed write-up and proof-of-concept by the vulnerability discoverer

Conclusion

This post highlights the importance of ensuring the security of your web applications. The CVE-2021-43258 vulnerability in ChurchInfo 1.3. is a prime example of how a seemingly innocuous feature can be exploited to perform potentially damaging actions, like remote code execution. Proper validation and security practices, such as validating file uploads and server-side checks, can go a long way in preventing such vulnerabilities. Always be vigilant and stay up-to-date with the latest security news to protect your applications and users.

Timeline

Published on: 11/23/2022 19:15:00 UTC
Last modified on: 11/30/2022 15:52:00 UTC