Rock RMS, a ‘relationship management system’ for churches, was affected by a pair of critical vulnerabilities that could lead to account takeover and remote code execution (RCE).
Security researchers who unearthed these and several other less serious flaws in the open source application have urged users to update their systems as soon as possible.
Perhaps best described as a customer relationship management (CRM) platform for religious institutions, Rock RMS enables church leaders to track attendance, handle online donations, and manage relationships with their congregations, among other features.
Nearly 550 churches globally – but mostly in North America – reportedly use the platform.
The application’s ongoing development is funded through voluntary donations, although the security researchers claimed that “in some cases, early access to patches require a paid subscription”.
File upload restriction bypass
The researchers, from the ‘Cyber Security Research Group’, found a critical logic flaw in how a block list function validates file extensions (CVE-2019-18643) that meant attackers could upload malicious files to any system directory via fileUpload.ashx and achieve RCE.
This vulnerability apparently proved tricky to remediate, with a comprehensive patch only emerging four versions after an initial partial fix.
The researchers posted a detailed account of their findings on the Full Disclosure security mailing list on January 2.
Account takeover
The other critical bug in Rock RMS (CVE-2019-18642) could see attackers tamper with user IDs after they are sent to the server following profile updates made by low privileged users, and then “make changes to any other user”.
This means they could change the system administrator’s email address, perform a password reset, then login and achieve full application compromise.
Both flaws were assigned a near-maximum CVSS score of 9.8.
A third, medium severity flaw (CVSS 5.3) in the GetVCard functionality “allowed any unauthenticated user to loop through all sequential user ID’s and exfiltrate user’s personal information”, such as “first name, last name, phone numbers, email address, [and] physical address.” (CVE-2019-18641).
Security researchers also found several unsecured API calls, a reflected cross-site scripting (XSS) flaw, and information leakage arising from a problem with private calendar access.
Year-long patch process
The researchers alerted Spark Development Network to the file upload, API tag, and GetVCard flaws on January 9, 2020, then reported the account takeover bug on January 16.
Version 8.6 landed three days later, on January 19, although researchers told the maintainers on March 7 that this had only partially fixed the file upload restriction bypass.
It wasn’t until November 5 and November 6, with the release of versions 8.10 and 9.4 respectively, that this issue was fully remediated.
The researchers have advised users to trawl their content directory for potentially malicious file extensions such as .aspx, and web logs for file uploads to directories other than the content directory, as well as “for suspicious iterations looping through objects such as vcard IDs”.
The Daily Swig has contacted the security researchers and Spark Development Network for further comment and will update the article if and when we hear back.
Source: https://portswigger.net/daily-swig/critical-rce-account-takeover-flaws-patched-in-rock-rms-church-management-platform
