Andreas Sandblad

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows versions prior to XP SP3 and Server 2003 SP2 **Description** The issue allows remote user-assisted attackers to execute arbitrary commands via a crafted file with a "/" character in the filename of the Command Line property, followed by a valid file extension. This could cause the command before the slash to be executed. A remote code execution vulnerability exists due to the way file extensions are handled, potentially allowing an attacker to take complete control of an affected system if a user visits a specially crafted Web site. Significant user interaction is required to exploit this vulnerability. **Recommendations** For Microsoft Windows XP SP1 and SP2, and Server 2003 SP1 and earlier, update to a newer version to mitigate the risk. As a temporary workaround, consider restricting the use of the packager.exe until a patch is available. Avoid using the Command Line property with filenames containing a "/" character followed by a valid file extension in the Windows Object Packager until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Tagger LE (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary PHP code via the query string in specific API endpoints, including "tags.php", "sign.php", and "admin/index.php". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CMS Mundo version 1.0 build 008 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters and fields, including the `news id` parameter in the news module, `searchstring` parameter in the search module, `id` parameter in the webshop module, `username` parameter in index.php, and various fields during a user profile update, such as `Name`, `Address`, `Zip`, `City`, `Country`, and `Email`. **Recommendations** For CMS Mundo version 1.0 build 008, consider restricting access to the news, search, and webshop modules, and limit user profile updates until a fix is available. As a temporary workaround, avoid using the `news id`, `searchstring`, `id`, and `username` parameters in their respective modules, and be cautious with user input in the `Name`, `Address`, `Zip`, `City`, `Country`, and `Email` fields during user profile updates.

**Name of the Vulnerable Software and Affected Versions** DeluxeBB version 1.06 **Description** The issue allows remote attackers to execute arbitrary SQL commands during account registration. This is achieved via the `hideemail`, `languagex`, `xthetimeoffset`, and `xthetimeformat` parameters. **Recommendations** For DeluxeBB version 1.06, consider restricting access to the account registration process until a fix is available, and avoid using the parameters `hideemail`, `languagex`, `xthetimeoffset`, and `xthetimeformat` in the registration endpoint.

**Name of the Vulnerable Software and Affected Versions** DeluxeBB version 1.06 **Description** The issue allows remote attackers to execute arbitrary code via a URL in the `templatefolder` parameter to various PHP files, including 'postreply.php', 'posting.php', and 'pm/newpm.php' in both the 'deluxe/' and 'default/' directories. **Recommendations** For DeluxeBB version 1.06, as a temporary workaround, consider restricting access to the `templatefolder` parameter in the affected PHP files until a patch is available. Avoid using the `templatefolder` parameter in the affected API endpoints, such as 'postreply.php', 'posting.php', and 'pm/newpm.php', until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MyBB version 1.1.2 **Description** The issue allows remote attackers to execute arbitrary PHP code via the `username` field. This is possible due to the use of a preg replace function call with a /e (executable) modifier in the domecode function, located in inc/functions post.php. **Recommendations** For MyBB version 1.1.2, consider disabling the domecode function in inc/functions post.php until a patch is available. Restrict access to the username field to minimize the risk of exploitation. Avoid using the `username` field in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Internet Explorer version 6.0 **Description** The issue allows remote attackers to execute arbitrary code via exceptional conditions that trigger memory corruption. This can occur when a user visits a specially crafted Web site, potentially allowing an attacker to take complete control of an affected system. **Recommendations** For Internet Explorer version 6.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer versions 6 through 7 Beta 2 **Description** A remote code execution issue exists due to the way Internet Explorer handles certain method calls to HTML objects, potentially corrupting system memory and allowing an attacker to execute arbitrary code if a user visits a malicious website. This could result in an attacker taking complete control of an affected system. **Recommendations** For Microsoft Internet Explorer versions 6 through 7 Beta 2, consider disabling the createTextRange call on checkbox objects as a temporary workaround until a patch is available. Restrict access to malicious websites to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Microsoft PowerPoint 2000 in Office 2000 SP3 Description: The issue is related to an interaction between Microsoft PowerPoint 2000 and Internet Explorer, allowing remote attackers to obtain sensitive information. This occurs when a PowerPoint presentation attempts to access objects in the Temporary Internet Files Folder (TIFF). Recommendations: For Microsoft PowerPoint 2000 in Office 2000 SP3, consider restricting access to the Temporary Internet Files Folder to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mozilla Thunderbird versions 1.0.2 through 1.0.7 **Description** The issue allows user-assisted attackers to execute arbitrary code via an attachment with a filename containing a large number of spaces ending with a dangerous extension that is not displayed by the software, along with an inconsistent Content-Type header. This could be used to trick a user into downloading dangerous content by dragging or saving the attachment. **Recommendations** For Mozilla Thunderbird versions 1.0.2 through 1.0.7, consider avoiding the use of attachments with filenames containing a large number of spaces and ensure consistent Content-Type headers to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** ADODB versions prior to 4.70 Mantis versions prior to 1.1.0a PostNuke versions prior to 0.764 Moodle versions prior to 1.5.3 Cacti versions prior to 0.8.6i Xaraya versions prior to 0.98 PHPOpenChat versions prior to 1.0.6 MAXdev MD-Pro versions prior to 1.12 MediaBeez versions prior to 0.9.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands when the MySQL root password is empty. This is possible through the `sql` parameter in the server.php test script. **Recommendations** For ADODB versions prior to 4.70, update to version 4.70 or later. For Mantis versions prior to 1.1.0a, update to version 1.1.0a or later. For PostNuke versions prior to 0.764, update to version 0.764 or later. For Moodle versions prior to 1.5.3, update to version 1.5.3 or later. For Cacti versions prior to 0.8.6i, update to version 0.8.6i or later. For Xaraya versions prior to 0.98, update to version 0.98 or later. For PHPOpenChat versions prior to 1.0.6, update to version 1.0.6 or later. For MAXdev MD-Pro versions prior to 1.12, update to version 1.12 or later. For MediaBeez versions prior to 0.9.1, update to version 0.9.1 or later.

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer versions 5.01 through 6 **Description** The issue is related to design errors that allow user-assisted attackers to execute arbitrary code. This is achieved by overlaying a malicious new window above a file download box and then using a keyboard shortcut. The file download box is delayed until the user hits a shortcut that activates the "Run" button. **Recommendations** For Microsoft Internet Explorer versions 5.01 through 6, update to a version that addresses the "File Download Dialog Box Manipulation" issue to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** cPanel versions 10.2.0-R82 through 10.6.0-R137 **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML via a chat message. This is possible by including Javascript in style attributes within tags, which can be processed by Internet Explorer. **Recommendations** For versions 10.2.0-R82 through 10.6.0-R137, consider disabling the Entropy Chat script as a temporary workaround until a patch is available. Restrict access to chat functionality to minimize the risk of exploitation. Avoid using style attributes in tags such as <b> in chat messages until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ATutor versions 1.4.1 through 1.5.1-pl1 **Description** The issue allows remote attackers to execute arbitrary PHP functions. This is possibly due to an eval injection vulnerability, where an attacker can make a direct request to the "forum.inc.php" endpoint with a modified `addslashes` parameter. The attack can be performed by setting either the `asc` or `desc` parameters. **Recommendations** For ATutor versions 1.4.1 through 1.5.1-pl1, consider restricting access to the "forum.inc.php" endpoint until a patch is available. As a temporary workaround, avoid using the `addslashes` parameter with the `asc` or `desc` parameters set in the "forum.inc.php" endpoint.

**Name of the Vulnerable Software and Affected Versions** ATutor versions 1.4.1 through 1.5.1-pl1 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This is possible via the ` base href` parameter in `translate.php`, the ` base path` parameter in `news.inc.php`, and the `p` parameter in `add note.php`. **Recommendations** For ATutor versions 1.4.1 through 1.5.1-pl1, consider disabling access to the `translate.php`, `news.inc.php`, and `add note.php` files until a patch is available. Restrict the use of the ` base href`, ` base path`, and `p` parameters in these files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ATutor versions 1.4.1 through 1.5.1-pl1 **Description** The issue allows remote attackers to include arbitrary files via the `section` parameter followed by a null byte (%00) in files such as `body header.inc.php` and `print.php`. **Recommendations** For ATutor versions 1.4.1 through 1.5.1-pl1, consider restricting access to the `section` parameter to prevent the inclusion of arbitrary files until a patch is available. Avoid using the `section` parameter followed by a null byte (%00) in the affected files, such as `body header.inc.php` and `print.php`, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mantis versions 0.19.2 through 1.0.0RC2 **Description** The issue allows remote attackers to execute arbitrary PHP code and include arbitrary local files via the `t core path` parameter in the bug sponsorship list view inc.php file. **Recommendations** For versions 0.19.2 through 1.0.0RC2, avoid using the `t core path` parameter in the bug sponsorship list view inc.php file until the issue is resolved. Restrict access to the bug sponsorship list view inc.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion versions prior to 6.00.110 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `activate` parameter in "register.php" and the `cat id` parameter in "faq.php". **Recommendations** For versions prior to 6.00.110, update to version 6.00.110 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 1.0.1 Mozilla versions prior to 1.7.6 **Description** The issue allows remote malicious web sites to spoof the extensions of files to download via the Content-Disposition header. This could be used to trick users into downloading dangerous content. **Recommendations** For Firefox versions prior to 1.0.1, update to version 1.0.1 or later to resolve the issue. For Mozilla versions prior to 1.7.6, update to version 1.7.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Sun Java JRE versions 1.1.x through 1.4.x **Description** The issue allows remote attackers to write arbitrary files to known locations due to the predictable nature of temporary file names on file systems that use 8.3 style short names. This can facilitate the exploitation of vulnerabilities in applications that rely on unpredictable file names. **Recommendations** For Sun Java JRE versions 1.1.x through 1.4.x, consider restricting access to sensitive locations where temporary files are written until a patch is available. As a temporary workaround, avoid using file systems that utilize 8.3 style short names to minimize the risk of exploitation.