CVE-2022-44008

Vulnerability

CVE-2022-44008 is a relative path traversal vulnerability (CWE-23) in BACKCLICK Professional 5.9.63 (on-premises). The ImageDisplayServlet error handler for HTTP 404 delivers asset files but only checks for directory traversal before URL decoding. An attacker can bypass this check by URL-encoding path components (e.g., %2e%2e for ..). This allows retrieval of arbitrary local files from the Tomcat server. Although the Apache reverse proxy normalizes the encoding and blocks exploitation, the Tomcat listener is directly reachable over the network on port 8080 [1].

Exploitation

An unauthenticated attacker with network access to the Tomcat HTTP interface (typically port 8080) can send a crafted GET request to /bc/assets/ followed by URL-encoded path traversal sequences. For example, curl --path-as-is http://:8080/bc/assets/%2e%2e/META-INF/db-config.xml retrieves the database configuration file. The check for ../ is performed before URL decoding, so the encoded bypass works [1].

Impact

Successful exploitation leads to information disclosure. The attacker can read any file the Tomcat process has access to, including database configurations (with credentials), source code, or other sensitive data. The impact is limited to file read; no code execution is demonstrated in the advisory [1].

Mitigation

As of publication, no official patch had been released by BACKCLICK GmbH. The vendor was notified on 2022-05-25 but the solution status remains unknown [1]. Until a fixed version is available, administrators should restrict network access to the Tomcat listener (e.g., via firewall rules, binding to localhost only, or disabling direct Tomcat access). The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog as of November 2022.