---------------------------------- ChurchInfo Multiple Vulnerabilities ---------------------------------- ChurchInfo is affected by mutliple path disclosures and sql injections. Vulnerabilties -------------- 1) The "PersonID" parameter on the following pages are vulnerable to sql injection and path disclosure. PersonView.php MemberRoleChange.php PropertyAssign.php WhyCameEditor.php GroupPropsEditor.php Reports/PDFLabel.php UserDelete.php - First page gives path disclosure, then when you click yes you have sql injection 2) When an invalid "Number" parameter only the following pages is given a divide by zero error is produced resulting in path disclosure. SelectList.php SelectDelete.php 3) The "DepositSlipID" parameter on the following page is vulnerable to sql injection and path disclosure. DepositSlipEditor.php 3) The "QueryID" parameter on the following page is vulnerable to sql injection and path disclosure. QueryView.php Also specific ids are vulnerable to sql injection. QueryID?id=18 The search box is vulnerable to sql injection. QueryID?id=19 An sql injection can be performed by editing the html source of the form. There is about 5 more forms in this section where you can potenially edit the form, and inject but I did not test each one so I did not list them. 4) The "GroupID" parameter on the following pages are vulnerable to sql injection and path disclosure. GroupView.php GroupMemberList.php MemberRoleChange.php GroupDelete.php /Reports/ClassAttendance.php /Reports/GroupReport.php 5) The "GroupID" parameter on the following pages produces path disclosure when invalid input is given. GroupPropsFormRowOps.php /Reports/ClassAttendance.php /Reports/ClassList.php ConfirmLabels.php /DirectoryReport.php /Reports/NewsLetterLabels.php 6) The "PropertyID" parameter on the following page is vulnerable to sql injection and path disclosure. PropertyEditor.php 7) The "FamilyID" parameter on the following pages are vulnerable to sql injection and path disclosure. Canvas05Editor.php CanvasEditor.php FamilyView.php 8) The "PledgeID" parameter on the following pages are vulnerable to sql injection and path disclosure. PledgeDetails.php Misc Many of the pages produced extract() errors when bogus input was fed leading to path disclosure. A few pages also produced path disclosures when directly accessed. Also some pages when directly accessed gave an sql error about an empty parameter, but were not exploitable when the parameter was given. Since this is an open source product you can simply view the queries from the source, but if it was closed source this could help to determine table structure and queries. Solution -------- Properly cleansing user input before processing would eliminate all these errors. Credit ------ thegreatone2176 Greets ------ Elohimus and pureone