Cisco Unified MeetingPlace Web Conferencing (MP) provides real-time
collaboration functionality to an organization's intranet and extranet, and
integrates Cisco Unified MeetingPlace with a web server, thus providing users
with a browser-based interface. Web Conferencing enables users to schedule and
attend conferences, access meeting materials, and collaborate on documents from
common web browsers.
Success Template (STPL) and Failure Template (FTPL) parameters are used
to specify the return template of a user request. These should correspond to an
actual template file that resides on the MP server's file system.
When MP servers running software versions 220.127.116.11 and earlier receive
invalid input for the STPL or FTPL parameters, they return a HTML error
template page. The returned HTML page contains the original inputted URL.
When this reflected XSS vulnerability is exploited, malicious code or a
script is embedded within the URL and associated with either the STPL or FTPL
parameter. The malicious code is usually in the form of a script embedded in
the URL of a link or the code may be stored on the vulnerable server or
malicious website. An unsuspecting user is enticed to follow a malicious link
to a vulnerable MP server that injects (reflects) the malicious code back to
the user's browser as the MP server does not have the requested template file
associated with the STPL or FTPL parameter. Therefore, the MP server responds
with the template used for error pages, which includes the requested URL with
the malicious code, thus causing the target user's browser to execute it.
Software versions 5.3.333.0 and later of Cisco Unified MeetingPlace Web
Conferencing will return an XML message with an embedded error code when
receiving invalid input for the STPL and FTPL parameters. The error message is
properly and securely formatted per the XML CDATA specification.
All 5.4 and 6.0 versions of Cisco Unified MeetingPlace Web Conferencing
are unaffected by this vulnerability.
To determine the software version of a Cisco Unified MeetingPlace Web
Conferencing server, access the MP server home page via an HTTP session; the
version information is provided at the bottom of the home page. The following
output shows an example of the text viewable when accessing the home page of a
MeetingPlace Web Conferencing server running software version 5.3.447.4:
Copyright © 1992-2007 Cisco Systems, Inc. All Rights Reserved.
All software releases of Cisco Unified MeetingPlace Web Conferencing
are affected prior to the listed Fixed Software versions. There are no known
workarounds for this vulnerability.
Cisco recommends upgrading to a fixed release of Cisco Unified
MeetingPlace Web Conferencing software.
Cisco Bug ID
Fixed Software Version
5.3.333.0 and later.
All 5.4 and 6.0 versions.
6.0.639.4 and later.
For additional information on XSS attacks and the methods used to
exploit these vulnerabilities, please refer to the Cisco Applied Intelligence
Response "Understanding Cross-Site Scripting (XSS) Threat Vectors," which is
available at the following link: