-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2022-028
Product:                   BACKCLICK
Manufacturer:              BACKCLICK GmbH
Tested Version(s):         BACKCLICK Professional 5.9.63 (On-Premises)
Vulnerability Type:        Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Risk Level:                High
Solution Status:           Unknown
Manufacturer Notification: 2022-05-25
Public Disclosure:         2022-11-14
CVE Reference:             CVE-2022-44002
Author of Advisory:        Jannik Vieten, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

BACKCLICK is a web application used for e-mail marketing and the
creation of newsletters.

The German manufacturer describes the product as follows (see [1]):

"BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und
Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter
erstellen und an Ihre Kunden versenden können."

Due to insufficient output encoding of user-supplied data, the web
application is vulnerable to cross-site scripting (XSS) at various
locations.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The BACKCLICK application does not employ sufficient output encoding
when processing user-supplied data. This especially includes characters
with a syntactical meaning in HTML and JavaScript.
Attackers can abuse this to store JavaScript code that is later executed
in another user's browsing context. The injected JavaScript can then
exfiltrate information or control the victim's account.

The vulnerability exists in various locations within the application.
This indicates a structural or architectural problem of BACKCLICK's
input/output handling. Confer the "Proof of Concept" section below 
for exemplary incarnations of the issue.

In order to prevent such vulnerabilities, user-controlled data must be
considered potentially malicious. Filtering the input based on a list
of bad expressions like "<script>" is not recommended.
Instead, untrusted data must be encoded depending on the output
context (see [4]).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following examples show locations where injected input leads to
the execution of JavaScript. This list is not intended to be exhaustive.

Visiting a prepared link such as the following:
https://example.com/bc/servlet/bc?targetUrl=/%27%20onload=%27alert(window.location.origin)%27%20x=%27

Within the campaign editor, storing the following code as a comment:
</textarea><img src=1 onerror=alert(1337)>

Within the campaign editor, typing the following into the subject field:
<img src=1 onerror=alert(1337)>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Contact vendor for solution.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-05-25: Vulnerabilities reported to manufacturer
2022-06-28: Advisories provided again, as originals were not received
2022-07-20: Confirmation, inquiry regarding reproduction of one issue
2022-11-14: No more information received, public disclosure of vulnerabilities

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for BACKCLICK
    https://www.backclick.de/
[2] SySS Security Advisory SYSS-2022-028
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-028.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[4] OWASP Cross Site Scripting Prevention Cheat Sheet
    https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Jannik Vieten of SySS GmbH.

E-Mail: jannik.vieten@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Jannik_Vieten.asc
Key ID: 0xC3366ECBE2C70C423ECFC123858221C952002FFB
Key Fingerprint: C336 6ECB E2C7 0C42 3ECF  C123 8582 21C9 5200 2FFB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwzZuy+LHDEI+z8EjhYIhyVIAL/sFAmNk11EACgkQhYIhyVIA
L/vYig//UWUk97eWgiFIz7bAnN4+iiKkl2nCgsthR7KNVkIcmhAtmp70184MHbDy
xzeapjEFvLjGGyDjvhoTrt8mQlB+DJS2swSL+VmWrsjrPKPHEU/+fHiP1L/KgR3C
Nds82+Ob6UIg/jt6Rqh4ekC5hX3TLjBg5BmbX4j/Z9ghur0W6NvqJ6obcQMXyc4e
pHS0YIhmAanhMNbMXG1nW6FZBPSLV3T49rWMRz76d9QYuR9hq4/I0RR+dZm7n26t
HXTGqBsxF3ET/S278fjI2DWv/MwkZwd45FZHRfhY0pIvuP6QHL4PJy13LtXUzVwi
imGj1F05+NSPJQG9cGhRraHJvFrwPy9Kj68hoKMfAtYZktam31Kt5CTixHcpDBVi
CSFnV6zMBh0dgqAKlTSNKvRH/wKKbrUqJc4h2XXbCm1t/149KAXEhyM/uh4obHPm
Ofj0NmsduR8rGICT3olLJFuRkQQaHH8Ig01xjC349IChydpQ147ZGiGITKAqFCjQ
i9PE4lEI+WjeZImMjlGNP7zg+QgSZfSpZsYy+4pYCpevaBaq85ayKOKL+i9VE4sd
eYGcp840C+0cqo192awUpdMqueZxP4HvVxZ1FXpnMWMNtZleomiHwHi69cnL45Qe
U+NCh2uA+q9LTXxvA6rUjWhUPBJO1BDuxB275VKxAB5ApP8+kqE=
=OFPD
-----END PGP SIGNATURE-----