-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-027 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: Use of Unmaintained Third Party Components (CWE-1104) Risk Level: High Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: CVE-2013-5688/CVE-2013-5689 Author of Advisory: Jannik Vieten, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see [1]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." Due to the unmaintained AjaXplorer media management component, BACKCLICK is vulnerable to directory traversal, arbitrary file upload, and remote code execution. This is exploitable by authenticated remote attackers on the internal network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Despite BACKCLICK being a Java application, it makes use of the third- party component AjaXplorer, which is a PHP software used for media management. Within BACKCLICK, AjaXplorer is bundled in version 3.2.4 from June 8, 2011. This version is susceptible to known vulnerabilities (CVE-2013-5688 and CVE-2013-5689). The file download function is affected by a directory traversal vulnerability which allows accessing all files on the server's file system. Furthermore, the component allows uploading arbitrary file types and stores them within the web directory of the application. Since the web server interprets .php and .jsp files, this leads to remote code execution when uploading malicious PHP or Java code. SySS GmbH recommends getting rid of the outdated AjaXplorer component. For file upload functionalities, it is generally recommended to not store uploaded files within the web directory of the application. If this is necessary, the web server must not interpret files of server-side scripting languages in the upload folder. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): In order to exploit the directory traversal in the file download function, a GET request to a URL such as the following can be made: https://example.com/bc/ajaxplorer/content.php?get_action=download&secure_token=[..token..]&file=/%00../%00../%00../%00../%00../%00../%00../var/lib/tomcat9/webapps/bc/META-INF/db-config.xml This would retrieve the config file containing database credentials. It is possible that the request needs to be performed with an attack proxy or a similar tool to prevent path normalization done by web browsers. In order to exploit the arbitrary file upload and remote code execution vulnerabilities, a malicious .php or .jsp file, for example containing a web shell, can be uploaded. The file is then directly accessible at a URL like the following: https://example.com/bc/ajaxplorer/Media_0/webshell.php When accessing the file, the web server interprets the code and executes the malicious commands. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for BACKCLICK https://www.backclick.de/ [2] SySS Security Advisory SYSS-2022-027 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-027.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Jannik Vieten of SySS GmbH. E-Mail: jannik.vieten@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Jannik_Vieten.asc Key ID: 0xC3366ECBE2C70C423ECFC123858221C952002FFB Key Fingerprint: C336 6ECB E2C7 0C42 3ECF C123 8582 21C9 5200 2FFB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwzZuy+LHDEI+z8EjhYIhyVIAL/sFAmNk1zkACgkQhYIhyVIA L/sgxhAAkH23/uQahrvU1XH7bYO/uHeHGn98FImM68vTVEi4B+X338r9xPsl0l8E EJaTlsx/u6LTkYEc8Kc8TQnVtqzkF6I8ozQScNy7xdhOTPpKc/W1Avm46gSU6XvO 1gf8/VLs/XLGppXpQjt6S5KhmYQG+8175v1yxYzNpEWYVhf4CeBP18qjbTLLd6fe 7s35YoF/SBtzV0LnU3efWeeJsce3ZS1PO/ob6En0yjBQKEuqZQHtoupbUiCuN6Zp uSbeo6Tdmh3VnyMXllKjh1Iue8EjLWmm6+UgSi6cEj1NDf2Sp/AU4xkRFlCBdC4+ i0c82OtKA6pYbelF2ujubn1kiexvUDv0WlaD+GyC+dRskcqKJ4FUben0GUwoCC8C Li5AdQxYW+P7InQ86kPTSuHQQbgiaegUeQwCmabcUjws04e0vtpkqKIJ80/sMAwo avZZ1plR6HuL1ULKtVWf8qQmTP+XqoAVJkle1tcz3MvzpOCdgBBUP156sCMPXbOa d6t58EVLCBZEbb/TubAM20qKHLWpYHvtgvWwkHUl2aGlRKOl8raHtCtZbgpvPTyZ 5XdENPlwroBZ/Ux51XZqm/ABZbPtF3uY+YhdYHL5/oEF/qOL5uq03WeJpcYZ6AQV oLS9QW8lvjjYAv1cMHYaLOWQTFNpcPgyiHO6j5c960O4YQCkGkY= =T7FO -----END PGP SIGNATURE-----