RE: XSS vulnerability in Cisco MeetingPlace
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Response: Cisco Unified MeetingPlace XSS Vulnerability
========================
http://www.cisco.com/warp/public/707/cisco-sr-20070808-mp.shtml
Revision 1.0
============
For Public Release 2007 August 08 1600 UTC (GMT)
Cisco Response
==============
This is the Cisco PSIRT response to an issue discovered and reported
to Cisco by Roger Jefferiss and Rob Pope of SecureTest Ltd, UK
regarding cross-site scripting (XSS) vulnerability in Cisco Unified
MeetingPlace Web Conferencing.
The original report is available at the following link:
http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065134.
html
We greatly appreciate the opportunity to work with researchers on
security vulnerabilities, and welcome the opportunity to review and
assist in product reports.
This vulnerability is documented in Cisco bug ID CSCsi33940.
This Cisco Security Response is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sr-20070808-mp.shtml.
Additional Information
======================
Cisco Unified MeetingPlace Web Conferencing (MP) provides real-time
collaboration functionality to an organization's intranet and
extranet, and integrates Cisco Unified MeetingPlace with a web
server, thus providing users with a browser-based interface. Web
Conferencing enables users to schedule and attend conferences,
access meeting materials, and collaborate on documents from common
web browsers.
Success Template (STPL) and Failure Template (FTPL) parameters are
used to specify the return template of a user request. These
should correspond to an actual template file that resides on the
MP server's file system.
When MP servers running software versions 5.3.235.0 and earlier
receive invalid input for the STPL or FTPL parameters, they return
a HTML error template page. The returned HTML page contains the
original inputted URL.
When this reflected XSS vulnerability is exploited, malicious code
or a script is embedded within the URL and associated with either
the STPL or FTPL parameter. The malicious code is usually in the
form of a script embedded in the URL of a link or the code may be
stored on the vulnerable server or malicious website. An
unsuspecting user is enticed to follow a malicious link to a
vulnerable MP server that injects (reflects) the malicious code
back to the user's browser as the MP server does not have the
requested template file associated with the STPL or FTPL
parameter. Therefore, the MP server responds with the template
used for error pages, which includes the requested URL with the
malicious code, thus causing the target user's browser to execute
it.
Software versions 5.3.333.0 and later of Cisco Unified MeetingPlace
Web Conferencing will return a XML message with an embedded error
code when receiving invalid input for the STPL and FTPL
parameters. The error message is properly and securely formatted
per the XML CDATA specification.
All 5.4 and 6.0 versions of Cisco Unified MeetingPlace Web
Conferencing are unaffected by this vulnerability.
To determine the software version of a Cisco Unified MeetingPlace
Web Conferencing server, access the MP server home page via a HTTP
session; the version information is provided at the bottom of the
home page. The following output shows an example of the text
viewable when accessing the home page of a MeetingPlace Web
Conferencing server running software version 5.3.447.4:
Copyright C 1992-2007 Cisco Systems, Inc. All Rights Reserved.
Version: 5.3.447.4
Workarounds
===========
There are no known workarounds for this vulnerability.
For additional information on XSS attacks and the methods used to
exploit these vulnerabilities, please refer to the Cisco Applied
Intelligence Response "Understanding Cross-Site Scripting (XSS)
Threat Vectors", which is available at the following link:
http://www.cisco.com/warp/public/707/cisco-air-20060922-understanding-
xss.shtml
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
Revision History
================
+------------------------------------------------------------------+
| Revision 1.0 | 08th August 2007 | Initial Public Release |
+------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_po
licy.html .
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
Name: Paul Oxman
Title: PSIRT Incident Manager
Work: +65 6317 7418
Fax: +65 6317 5250
Country: Singapore
- -----Original Message-----
From: Disclosure [mailto:Disclosure@xxxxxxxxxxxxxx]
Sent: Wednesday, August 08, 2007 10:30 PM
To: full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
Subject: XSS vulnerability in Cisco MeetingPlace
SecureTest Ltd (www.securetest.com) Security Advisory
XSS vulnerability in Cisco MeetingPlace
Date: 18th July 2007
Author: Roger Jefferiss
Application: Cisco MeetingPlace
Risk: Medium
Vendor Status: Replicated and verified by Cisco Systems, patch
available.
Reference: http://www.cisco.com
Overview:
There exists a cross site scripting issue in Cisco MeetingPlace
Application. The result of this is that when a specially crafted web
page with a hidden arbitrary code could be executed on the host
accessing the application.
Details:
Cisco Meetingplace provides a web based application for online
meetings.
It was discovered that a specially crafted script could be executed
on
certain parameters with in Meetingplace application.
The result is script code execution in the local user context in the
host. Preliminary tests concluded the system is vulnerable with most
popular web browsers such as Microsoft Internet Explorer 7.0 and
Mozilla
Firefox 2.0 fully patched.
User intervention (e.g. clicking on a malicious link) is necessary to
trigger the exploit.
Affected Versions:
This vulnerability has been confirmed in the following versions:
- - 4.3.0.246
- - 4.3.0.246.5
- - 5.3.104.0
- - 5.3.104.3
The following versions have been tested and are unaffected due to the
fact they return an xml template:
- - 5.3.333.0
- - 5.3.447
- - 5.3.447.4
- - 5.4.70.0
- - 6.0.170.0
Vendor Response:
Cisco bug ID: CSCsi33940
The above vulnerability was addressed by Cisco Systems recommending
that
you update grade to Version 5.3.333.0 or higher
Please see
http://www.cisco.com/warp/public/707/cisco-sr-20070808-mp.shtml for
details.
SecureTest for all your PCI requirements- PCI workshops, PCI Scoping,
Assistance with Self Assessment questionnaires, Gap Analysis, ASV
Scanning, PCI-DSS Audits - SecureTest are an accredited PCI ASV & QSA
company.
Contact SecureTest now to discuss your requirements in more detail on
01844 210310 or e-mail us pci@xxxxxxxxxxxxxx
SecureTest Ltd is a company registered in England and Wales with
company number 4474600
Our VAT number is 793 8555 69
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBRrnvgPDVAGwZg2sUEQKd7gCeJAbglK+ocPUt+2ACgg91EMCRwLcAoLUl
XFcfSbBPtQ7kMbNSxyNFy+3z
=rjvd
-----END PGP SIGNATURE-----