A critical vulnerability exists in the ChurchCRM open-source church management system that allows an authenticated attacker to gain full control over the server. The flaw lies in the Database Restore function, which fails to properly check uploaded files, enabling an attacker to upload and execute malicious code. This could lead to a complete system compromise, resulting in the theft of sensitive member data and significant operational disruption.

The vulnerability is an unrestricted file upload in the "Database Restore" feature. The application does not validate the file extension or content of files uploaded through this function. An authenticated attacker with access to this feature can exploit this by first uploading a web shell (e.g., a file with PHP code) and then uploading a specially crafted .htaccess file. The .htaccess file reconfigures the web server to execute the previously uploaded web shell, leading to remote code execution (RCE) when the attacker accesses the file's URL.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Successful exploitation results in a complete compromise of the web server hosting the ChurchCRM application. The potential consequences include theft of sensitive personal information of church members (names, addresses, financial contributions), data manipulation or destruction, and complete service unavailability. A compromised server could also be used as a pivot point to launch further attacks against the internal network, posing a significant risk to the organization's data integrity, reputation, and operational continuity.

Immediate Action: Immediately update all instances of ChurchCRM to version 6.5.3 or a later version, which contains the fix for this vulnerability. After patching, review web server access and error logs for any signs of exploitation attempts, such as unusual file uploads or requests for non-standard files (e.g., .php files in an upload directory).

Proactive Monitoring:

• Monitor web server logs for POST requests to the database restore endpoint that contain files with suspicious extensions (e.g., .php, .phtml, .sh) or the upload of .htaccess files.
• Implement File Integrity Monitoring (FIM) on the web server to detect the creation of unauthorized files in the webroot or upload directories.
• Monitor for unusual outbound network traffic from the web server, which could indicate a web shell communicating with an attacker's command-and-control server.

Compensating Controls:

• If immediate patching is not feasible, restrict access to the Database Restore functionality to a minimal number of highly trusted administrative accounts.
• Implement a Web Application Firewall (WAF) with rules to block the upload of files with executable extensions or files named .htaccess.
• Ensure file permissions for the upload directory are configured to prevent the execution of scripts.

Public Exploit Available: false

Given the critical CVSS score of 9.1 and the potential for complete system compromise, it is strongly recommended that organizations patch this vulnerability with the highest priority. All instances of ChurchCRM should be immediately upgraded to version 6.5.3 or newer. In addition to patching, organizations should conduct a thorough review of user accounts with administrative privileges to ensure the principle of least privilege is enforced and hunt for any indicators of past compromise as outlined in the proactive monitoring section.