{"vuid":"VU#718896","idnumber":"718896","name":"Cisco Collaboration Server (CCS) ServletExec allows arbitrary file uploading","keywords":["Cisco","Cisco Collaboration Server","CCS","ServletExec","UploadServlet","privilege escalation"],"overview":"There is a vulnerability in the ServletExec subcomponent of the Cisco Collaboration Server (CCS) that could allow an attacker to upload arbitrary files to the server.","clean_desc":"The Cisco Collaboration Server (CCS) is designed to provide interactive customer support (web page sharing, application sharing, text chat, etc.) through a web browser. There is a vulnerability in the UploadServlet of the ServletExec subcomponent of CCS. This vulnerability could allow a remote attacker to upload arbitrary files to the server and subsequently execute those files. As noted in the Cisco Advisory, you can test your CCS to determine if it is vulnerable by attempting to load the following URL: http:///servlet/UploadServlet If a NullPointerException is returned, the system is vulnerable. If a \"Page Not Found\" error is returned, your system is not vulnerable.","impact":"A remote attacker could upload arbitrary files to the CCS and potentially gain administrative privileges.","resolution":"Apply patch\nCisco has released an advisory \"Cisco Collaboration Server Vulnerability\" to address this issue. For more information on applying patches, please refer to the \"Software Versions and Fixes\" section of the Cisco Advisory.","workarounds":"Manually remove UploadServlet class\nAccording to the Cisco Advisory, users may perform the following steps to manually apply the patch: Manual Instructions to Patch CCS 3.x Stop Internet Information Server (IIS). Run Winzip or your favorite zip utility and open ServletExec22.jar in the C:\\Program Files\\new atlanta\\servletexec ISAPI\\lib directory. Delete UploadServlet.class. Save ServletExec22.jar back to its original location and exit Winzip. Restart IIS. Manual Instructions to Patch CCS 4.x Stop Internet Information Server (IIS). Run Winzip or your favorite zip utility and open ServletExec30.jar in the C:\\Program Files\\new atlanta\\servletexec ISAPI\\lib directory. Delete UploadServlet.class. Save ServletExec30.jar back to its original location and exit Winzip. Restart IIS. CCS 5.x is not vulnerable and these manual instructions do not apply.","sysaffected":"","thanks":"This vulnerability was reported by \nthe Cisco Systems Product Security Incident Response Team (\nPSIRT","author":"This document was written by Damon Morda.","public":["http://www.cisco.com/warp/public/707/cisco-sa-20040630-CCS.shtml","http://www.cisco.com/warp/public/180/prod_plat/cust_cont/cis/web_collaboration.html","http://secunia.com/advisories/11979/","http://www.newatlanta.com/biz/c/products/servletexec/self_help/faq/detail?faqId=195","http://www.cisco.com/application/pdf/en/us/guest/products/ps1001/c1067/ccmigration_09186a008020f9b4.pdf"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2004-06-30T19:33:09Z","publicdate":"2004-06-30T00:00:00Z","datefirstpublished":"2004-07-09T14:42:34Z","dateupdated":"2004-07-09T14:42:39Z","revision":12,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"7","cam_impact":"17","cam_easeofexploitation":"10","cam_attackeraccessrequired":"20","cam_scorecurrent":"8.925","cam_scorecurrentwidelyknown":"11.15625","cam_scorecurrentwidelyknownexploited":"20.08125","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":8.925,"vulnote":null}