CVE-2021-3164

Vulnerability

ChurchRota version 2.6.4 contains an authenticated remote code execution vulnerability. The application fails to properly restrict file uploads; any authenticated user can upload and execute arbitrary files via a POST request to resources.php. No special file upload permission is required, as the code path handling resource uploads does not validate the file type or content [1], [2].

Exploitation

An attacker must first log into ChurchRota to obtain a valid session cookie (PHPSESSID). A POST request is then sent to /resources.php?action=newsent with a multipart/form-data body containing a file with arbitrary content (e.g., a PHP web shell). The attacker controls the resourcefile field to set the filename and payload. After upload, the file is accessible under the documents/ directory and can be triggered via HTTP request (e.g., curl localhost/documents/exec.php). The official proof of concept includes a Python script using pwntools and requests to automate the steps [2].

Impact

Successful exploitation allows the attacker to achieve remote code execution on the web server as the web user (typically www-data). This leads to full compromise of confidentiality, integrity, and availability of the ChurchRota application and the underlying server. The attacker can execute arbitrary system commands, read sensitive files, modify data, and potentially pivot to other hosts. The vulnerability does not require any special privileges beyond a basic authenticated session [1], [2].

Mitigation

No official patch or fixed version has been released as of the publication date (January 2021). The repository appears to have no subsequent security updates addressing this issue. As a workaround, administrators should restrict access to resources.php via web server rules or disable file upload functionality entirely if not required. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Users should consider migrating to an alternative solution if no patch becomes available [1].