-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-036 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: CWE-384: Session Fixation Risk Level: Medium Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: CVE-2022-44007 Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see [1]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." Due to unsafe implementation of session tracking, it is possible for an attacker to trick users into opening an authenticated user session for a session identifier known to the attacker. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Part of the management Java web application is file management software implemented in PHP. Both worlds implement their own session management. To avoid multiple login prompts, the PHP code's authentication routine retrieves the user information from the Java session via an upcall and then creates a matching session for PHP. However, when creating a new session, an arbitrary session identifier specified in the "ajxp_session" query parameter is used. An attacker can create a suitable URL and trick an authenticated user into visiting it, thereby creating a new PHP session with the user information inherited from the existing Java session. With knowledge of the session identifier, the file management application can be accessed as the victim user. This also allows exploiting the known vulnerabilities in that application. While the management application permits restricting external access, these restrictions are only checked during login and are therefore not effective. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Visiting, for example, the following URL as a user authenticated in the management application initiates a PHP session named "exploit": https:///bc/ajaxplorer/content.php?ajxp_sessid=exploi' t&get_action=get_boot_conf This could also be embedded in a malicious website, e.g. as an iframe, making such an attack less obvious. The session identifier can then be used to access the AjaXplorer file management and exploit its vulnerabilities, even over the external web server. As described in SYSS-2022-027[4], that ultimately allows arbitrary code execution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for BACKCLICK https://www.backclick.de/ [2] SySS Security Advisory SYSS-2022-036 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-036.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] SySS Security Advisory SYSS-2022-027 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-027.txt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAmNkyT8ACgkQdo7+K7Pl Pdq+Hwf6A1diTlj2Flr/crpLzaFSbfnhCfkKHqQAKXZRmVmeauWHtrcxoVFsoODH hO8yUAyFSe9Qoj+5biS3urn/X7K6QjWIcjJlofPYbW5iItA9mQbfBk6S+22hShbG y7KNHTXJ+j2LdqPjod5w1e+jcqoiTOvM8dX7RB0FKXi9NHFpnH9gGpzaW16x3RHI Xt/4qThjTCoClTgQQcy67kFBjIHX5eQqiPrdHixX5z2qnszp6Zt5X0bFG9xs4PlU P7DDgzsEdY1GVgy8UIJLQY9mhsOpRbDxOkW5ML3AYiXfN1528zHa7I1IBi129bLJ Ehn+5h9FJGZkADN1LWUNvTmge7L7mw== =9GTn -----END PGP SIGNATURE-----