[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    ChurchInfo Multiple Vulnerabilities
From:       thegreatone2176 () yahoo ! com
Date:       2005-08-01 15:04:52
Message-ID: 20050801150452.27456.qmail () securityfocus ! com
[Download RAW message or body]

----------------------------------
ChurchInfo Multiple Vulnerabilities
----------------------------------

ChurchInfo is affected by mutliple path disclosures and sql injections.

Vulnerabilties
--------------

1) The "PersonID" parameter on the following pages are vulnerable to sql injection \
and path disclosure.

PersonView.php
MemberRoleChange.php
PropertyAssign.php
WhyCameEditor.php
GroupPropsEditor.php
Reports/PDFLabel.php
UserDelete.php - First page gives path disclosure, then when you click yes you have \
sql injection

2) When an invalid "Number" parameter only the following pages is given a divide by \
zero error is produced resulting in path disclosure.

SelectList.php
SelectDelete.php

3) The "DepositSlipID" parameter on the following page is vulnerable to sql injection \
and path disclosure.

DepositSlipEditor.php

3) The "QueryID" parameter on the following page is vulnerable to sql injection and \
path disclosure. 

QueryView.php

Also specific ids are vulnerable to sql injection.

QueryID?id=18 The search box is vulnerable to sql injection.
QueryID?id=19 An sql injection can be performed by editing the html source of the \
form.

There is about 5 more forms in this section where you can potenially edit the form, \
and inject but I did not test each one so I did not list them.

4) The "GroupID" parameter on the following pages are vulnerable to sql injection and \
path disclosure.

GroupView.php
GroupMemberList.php
MemberRoleChange.php
GroupDelete.php
/Reports/ClassAttendance.php
/Reports/GroupReport.php

5) The "GroupID" parameter on the following pages produces path disclosure when \
invalid input is given.

GroupPropsFormRowOps.php
/Reports/ClassAttendance.php
/Reports/ClassList.php
ConfirmLabels.php
/DirectoryReport.php
/Reports/NewsLetterLabels.php

6) The "PropertyID" parameter on the following page is vulnerable to sql injection \
and path disclosure. 

PropertyEditor.php

7) The "FamilyID" parameter on the following pages are vulnerable to sql injection \
and path disclosure.

Canvas05Editor.php 
CanvasEditor.php
FamilyView.php

8) The "PledgeID" parameter on the following pages are vulnerable to sql injection \
and path disclosure.

PledgeDetails.php

Misc
Many of the pages produced extract() errors when bogus input was fed leading to path \
disclosure. A few pages also produced path disclosures when directly accessed. Also \
some pages when directly accessed gave an sql error about an empty parameter, but \
were not exploitable when the parameter was given. Since this is an open source \
product you can simply view the queries from the source, but if it was closed source \
this could help to determine table structure and queries.

Solution
--------
Properly cleansing user input before processing would eliminate all these errors.

Credit
------
thegreatone2176

Greets
------
Elohimus and pureone


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic