CVE-2022-44007

Vulnerability

BACKCLICK Professional 5.9.63 (On-Premises) contains a session fixation vulnerability in its file management component, which is implemented in PHP and coexists with the main Java-based web application [1]. To avoid multiple login prompts, the PHP authentication routine retrieves user information from the Java session via an upcall and then creates a matching PHP session. However, when creating a new session, an arbitrary session identifier specified in the ajxp_session query parameter is used without proper validation or regeneration [1]. This allows an attacker to set a known session ID for a victim.

Exploitation

An attacker can craft a URL containing a chosen session identifier in the ajxp_session parameter and trick an authenticated BACKCLICK user into visiting that link (e.g., via phishing or a cross-site request) [1]. When the victim, who already has an active Java session, follows the link, the PHP code creates a new PHP session using the attacker-supplied ID and populates it with the victim's user information inherited from the Java session [1]. The attacker, who knows the session ID, can then use it to access the file management application as the victim [1].

Impact

A successful session fixation attack allows the attacker to take over the victim's authenticated session in the PHP file management component [1]. This grants the attacker the same privileges as the victim user within that component, potentially enabling unauthorized access to files, email marketing data, and other sensitive information managed by BACKCLICK [1]. The scope of compromise depends on the victim's permissions.

Mitigation

As of the disclosure date (2022-11-14), the solution status was marked as "Unknown" by the vendor [1]. The SySS advisory notes that details on remediation were not yet available [1][2]. Users should monitor the vendor for patches and consider restricting access to the BACKCLICK application to trusted networks and users until a fix is deployed [1][2].