[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Blind SQL injections in CivicRM



CivicRM extends common CMS platforms (WordPress, Drupal) with a module to manage Civic campaigns, tracking donors, amounts, and campaign CRM type activity.

I tested the WordPress integration of CivicRM 4.7b3 which was found to have blind SQL Injections that allow authenticated users to download arbitrary database content.


The first was in the columns[0][data] parameter when querying a contact relationship in the AJAX query.

http://192.168.56.101/wp-admin/admin.php?page=CiviCRM&q=civicrm/ajax/contactrelationships&context=current&cid=3&draw=1&columns[0][data]=relation%2c%28select*from%28select%28sleep%2820%29%29%29a%29&;..

The actual code path in the PHP was rather convoluted.


The second was in the subType parameter when performing.

http://192.168.56.101/wp-admin/admin.php?page=CiviCRM&q=civicrm%2Fcustom&type=Campaign&subType=3%25%27OR+1%3D1+OR+civicrm_custom_group.extends_entity_column_value%3D%27&entityID=1&cgcount=1&snippet=json

The ease of detection and exploitation of this later issue varies depending whether custom fields exist.


These issues were notified to CivicRM project on 2015-12-21

A reminder was sent 2016-02-05

No recent correspondence has been received on the matter. 

CivicRM have recently performed a security release, there is no indication in the release notes or bug tracking tool as to whether these issues have been addressed or not.



Both injections allow authenticated users to download arbitrary database content (typically this is the same database as the CMS), this may include low privileged WordPress users such as “author”.

Users of CivicRM may want to ensure only trusted users are permitted access to the relevant CMS as role based restrictions will not correctly control access to sensitive data, or deploy WAF like measures (mod-security etc) to further mitigate any risk.


The issues were identified using Burp-Suite Pro. 

The first of these issues can be automatically exploited by SQLmap, so the skill needed to perform the exploit is minimal.