-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-026 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: Authorization Bypass Through User-Controlled Key (CWE-639) Risk Level: Medium Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: CVE-2022-44005 Author of Advisory: Jannik Vieten, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see [1]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." Due to the use of consecutive IDs in verification links, the newsletter sign-up functionality is vulnerable to the enumeration of subscribers' e-mail addresses. Furthermore, it is possible to subscribe and verify other people's e-mail addresses to newsletters without their consent. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When signing up for a newsletter using a publicly accessible subscription form, a verification link is sent to the registered e-mail address. Such verification links look like the following: https://example.com/bc/servlet/web.subscribe?tid=2&mid=0&c=MTRfMQ==doi This URL contains a parameter named "c" with a base64-encoded ID, for example "MTRfMQ==" which is the value "14_1". The first number seems to be the incrementing subscriber number, while the second number might be a list ID. This is an indication that there are 13 other subscribers. URL parameters for all other subscribers can be crafted and submitted to the application. Since the verification link has already been used, an error message is shown: "Sie wurden bereits mit der Email-Adresse jane.doe@example.org erfolgreich für folgende Newsletter angemeldet [...]." This message reveals the e-mail address of the original subscriber matching the used verification ID. If this step is repeated, it is possible to enumerate all existing subscribers, which poses a privacy issue. Furthermore, attackers can subscribe foreign e-mail addresses without their consent, since the verification ID is guessable. SySS GmbH recommends using long and random IDs which are not guessable. Error messages for outdated verification links should not reveal subscribers' e-mail addresses. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): By performing an enumeration attack using specially crafted verification links as described in the previous section, it was possible to retrieve e-mail addresses of subscribed users of a tested BACKCLICK installation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for BACKCLICK https://www.backclick.de/ [2] SySS Security Advisory SYSS-2022-026 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-026.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Jannik Vieten of SySS GmbH. E-Mail: jannik.vieten@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Jannik_Vieten.asc Key ID: 0xC3366ECBE2C70C423ECFC123858221C952002FFB Key Fingerprint: C336 6ECB E2C7 0C42 3ECF C123 8582 21C9 5200 2FFB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwzZuy+LHDEI+z8EjhYIhyVIAL/sFAmNk12gACgkQhYIhyVIA L/uIQRAAutqmm/l+tU3PNLGnQIIzli6NvdlXp2ypXdsu3F6PqiRpAI94NeOqtS+B ttEZokcuU9xMlCnA/PGwIBqUjLEPC/X6enMzBEGD9byR8pzSFCEPWRDT++bCyMxt UeceGvTsUarxRQD3AsMVKewzZvpRM3mBCvzvPcvmk0wPGzYGjcFcAfurOUey1wXh gGers35hGSHhk8aEYbM7Kw12IsUaMCK8Z1YLn8IE4sDvNPzr4tZ3FlYwXSmTxGDd qpvODuVY/mQGEw3Si51D3wkR5Y1kGQQybQGTzA6N8APSh4cszQJy/cwa1BvGqqMr 1LKrtzsPF7Nv3sRXhTlLDlWdQYcezIKVJaiTAvJlD5MvlRtR0G8ogEjBBt2EkTKS YgTVW6SnzKtI2911mXc4TMphkoHT+SYUZS15vFPg+LcJAaUUo7N3punwXbGbWAlt 2nIksG+OMhACPy6mt2LwLFVDE9l9k9Nar01I3RTu+Ngmzdra5oJ+FDcLfMD+PgiQ hT+nz35FusxRMmacrxNyML3zuNiknXVzVq47p8JKr0krhhwCnKGKnOncTdX8RsKS MTQv06Kz4D5bY42ksi3wgPPq/dyERTYAuKFAb/O80/6iqMh7XwM8rCyjJnWhs/Sv YrK5U21tE5jtWoQqpCbBDxlkORBwW+TKaxDwgtT+kciCCIFNjCE= =3YrP -----END PGP SIGNATURE-----