===================================================================== CERT-Renater Note d'Information No. 2007/VULN341 _____________________________________________________________________ DATE : 09/08/2007 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Cisco Unified MeetingPlace servers running software versions 5.3.235.0 and earlier. ====================================================================== Cisco Security Response: Cisco Unified MeetingPlace XSS Vulnerability http://www.cisco.com/warp/public/707/cisco-sr-20070808-mp.shtml Revision 1.0 ============ For Public Release 2007 August 08 1600 UTC (GMT) Cisco Response ============== This is the Cisco PSIRT response to an issue discovered and reported to Cisco by Roger Jefferiss and Rob Pope of SecureTest Ltd, UK regarding cross-site scripting (XSS) vulnerability in Cisco Unified MeetingPlace Web Conferencing. The original report is available at the following link: http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065134.html We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports. This vulnerability is documented in Cisco bug ID CSCsi33940. This Cisco Security Response is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sr-20070808-mp.shtml. Additional Information ====================== Cisco Unified MeetingPlace Web Conferencing (MP) provides real-time collaboration functionality to an organization's intranet and extranet, and integrates Cisco Unified MeetingPlace with a web server, thus providing users with a browser-based interface. Web Conferencing enables users to schedule and attend conferences, access meeting materials, and collaborate on documents from common web browsers. Success Template (STPL) and Failure Template (FTPL) parameters are used to specify the return template of a user request. These should correspond to an actual template file that resides on the MP server's file system. When MP servers running software versions 5.3.235.0 and earlier receive invalid input for the STPL or FTPL parameters, they return a HTML error template page. The returned HTML page contains the original inputted URL. When this reflected XSS vulnerability is exploited, malicious code or a script is embedded within the URL and associated with either the STPL or FTPL parameter. The malicious code is usually in the form of a script embedded in the URL of a link or the code may be stored on the vulnerable server or malicious website. An unsuspecting user is enticed to follow a malicious link to a vulnerable MP server that injects (reflects) the malicious code back to the user's browser as the MP server does not have the requested template file associated with the STPL or FTPL parameter. Therefore, the MP server responds with the template used for error pages, which includes the requested URL with the malicious code, thus causing the target user's browser to execute it. Software versions 5.3.333.0 and later of Cisco Unified MeetingPlace Web Conferencing will return a XML message with an embedded error code when receiving invalid input for the STPL and FTPL parameters. The error message is properly and securely formatted per the XML CDATA specification. All 5.4 and 6.0 versions of Cisco Unified MeetingPlace Web Conferencing are unaffected by this vulnerability. To determine the software version of a Cisco Unified MeetingPlace Web Conferencing server, access the MP server home page via a HTTP session; the version information is provided at the bottom of the home page. The following output shows an example of the text viewable when accessing the home page of a MeetingPlace Web Conferencing server running software version 5.3.447.4: Copyright (c) 1992-2007 Cisco Systems, Inc. All Rights Reserved. Version: 5.3.447.4 Workarounds =========== There are no known workarounds for this vulnerability. For additional information on XSS attacks and the methods used to exploit these vulnerabilities, please refer to the Cisco Applied Intelligence Response "Understanding Cross-Site Scripting (XSS) Threat Vectors", which is available at the following link: http://www.cisco.com/warp/public/707/cisco-air-20060922-understanding-xss.shtml THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Revision History ================ +------------------------------------------------------------------+ | Revision 1.0 | 08th August 2007 | Initial Public Release | +------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html . This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================