CVE-2022-44006

Vulnerability

The servlet at /bc/servlet/gui.FileUpload in BACKCLICK Professional 5.9.63 (On-Premises) accepts HTML form file uploads without requiring authentication [1]. The file name from the "name" parameter is not properly validated or sanitized; by including ../ path traversal sequences, an attacker can write files outside the intended target directory [1]. This condition is reachable via the external web interface with no prior authentication [1].

Exploitation

An attacker sends a crafted HTTP request to the /bc/servlet/gui.FileUpload endpoint with a file name containing relative path components (e.g., ../../assets/shell.jsp) [1]. The servlet constructs the target file path using this value without sanitization, allowing the file to be written to an arbitrary location where the application server has write permissions [1]. No user interaction or special privileges are required; the function is externally reachable [1].

Impact

Successful exploitation allows an attacker to write a malicious JSP web shell to a web-accessible directory (such as /assets/) [1]. This results in remote code execution on the application server with the privileges of the application server process [1]. The attacker can then fully compromise the BACKCLICK system and potentially pivot to other internal resources [1][2].

Mitigation

As of the public disclosure date (2022-11-14), the manufacturer has not released a fix or acknowledged a solution status [1]. No workarounds are documented in the available references. Affected installations should assume the product remains vulnerable until a patch is provided [1][2].