Michael Brooks

**Name of the Vulnerable Software and Affected Versions** CGI:IRC versions prior to 0.5.10 **Description** The issue is related to a cross-site scripting (XSS) vulnerability in the nonjs interface of CGI:IRC. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `R` parameter. Multiple vulnerabilities in the CGI:IRC package may lead to a breach of protected information integrity, and exploitation can be done remotely. **Recommendations** For versions prior to 0.5.10, update to version 0.5.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the nonjs interface to minimize the risk of exploitation. Avoid using the `R` parameter in the affected interface until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Bugzilla versions 3.2.x through 3.2.9 Bugzilla versions 3.4.x through 3.4.9 Bugzilla versions 3.6.x through 3.6.3 Bugzilla versions 4.0.x through 4.0rc1 **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks against logged-out users via a crafted URI, specifically by creating a clickable link for a `javascript:` or `data:` URI in the URL field. **Recommendations** For Bugzilla versions 3.2.x through 3.2.9, update to version 3.2.10 or later. For Bugzilla versions 3.4.x through 3.4.9, update to version 3.4.10 or later. For Bugzilla versions 3.6.x through 3.6.3, update to version 3.6.4 or later. For Bugzilla versions 4.0.x through 4.0rc1, update to version 4.0rc2 or later.

Name of the Vulnerable Software and Affected Versions: Enhanced CTorrent versions 3.3.2 and earlier CTorrent version 1.3.4 Description: The issue is related to a stack-based buffer overflow in the `btFiles::BuildFromMI` function, which can be triggered by a Torrent file containing a long path. This can cause a denial of service (crash) and potentially allow remote attackers to execute arbitrary code. Recommendations: For Enhanced CTorrent versions 3.3.2 and earlier, consider updating to a newer version that addresses this issue. For CTorrent version 1.3.4, consider updating to a newer version that addresses this issue. As a temporary workaround, consider restricting the handling of Torrent files with long paths to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** XAMPP version 1.6.8 **Description** The issue allows remote attackers to spoof critical variables by performing an extract operation on the SERVER superglobal array in the security/xamppsecurity.php file. This can be demonstrated by setting the `REMOTE ADDR` variable to 127.0.0.1, potentially allowing attackers to manipulate the system. **Recommendations** For XAMPP version 1.6.8, consider restricting access to the security/xamppsecurity.php file until a patch is available, or apply a configuration change to prevent the extract operation on the SERVER superglobal array. As a temporary workaround, avoid using the `REMOTE ADDR` variable in security-critical operations.

**Name of the Vulnerable Software and Affected Versions** Profense Web Application Firewall versions 2.6.2 through 2.6.3 **Description** The issue allows remote attackers to hijack the authentication of administrators for various requests, including shutting down the server, sending ping packets, enabling network services, configuring a proxy server, and modifying other settings. This is achieved via parameters in the query string. **Recommendations** For versions 2.6.2 and 2.6.3, consider disabling the `ajax.html` functionality until a patch is available to prevent exploitation of the cross-site request forgery issue. Restrict access to the administrative interface to minimize the risk of unauthorized requests.

**Name of the Vulnerable Software and Affected Versions** Profense Web Application Firewall versions 2.6.2 through 2.6.3 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `proxy` parameter in a `deny log` manage action. This could potentially lead to unauthorized access or control of the affected system. **Recommendations** For Profense Web Application Firewall versions 2.6.2 and 2.6.3, consider restricting access to the `deny log` manage action to minimize the risk of exploitation. Avoid using the `proxy` parameter in this action until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WOW ActiveX versions 2 **Description** The issue concerns multiple insecure methods in the Web On Windows (WOW) ActiveX control. Remote attackers can create and overwrite arbitrary files using the `WriteIniFileString` method, execute arbitrary programs via the `ShellExecute` method, read from the registry, and write to the registry. It is also possible to use these methods together to execute arbitrary code. **Recommendations** For WOW ActiveX version 2, consider disabling the `WriteIniFileString` and `ShellExecute` methods to prevent exploitation until a fix is available. Restrict access to the registry to minimize the risk of unauthorized modifications. Avoid using the WOW ActiveX control for sensitive operations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 2.11.x through 2.11.9.3 phpMyAdmin versions 3.x through 3.1.0.0 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to perform unauthorized actions as the administrator via a link or IMG tag to "tbl structure.php" with a modified `table` parameter. This can be leveraged to conduct SQL injection attacks and execute arbitrary code. **Recommendations** For phpMyAdmin versions 2.11.x through 2.11.9.3, update to version 2.11.9.4 or later. For phpMyAdmin versions 3.x through 3.1.0.0, update to version 3.1.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** cPanel versions 11.18.3 through 11.19.3 **Description** The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow remote attackers to execute arbitrary code and perform various administrative actions. Specifically, the vulnerabilities can be exploited through the following API endpoints: "frontend/x2/cron/editcronsimple.html" by manipulating the `command1` parameter, "frontend/x2/sql/adddb.html", "frontend/x2/sql/adduser.html", and "frontend/x2/ftp/doaddftp.html". **Recommendations** For cPanel versions 11.18.3 through 11.19.3, consider restricting access to the mentioned API endpoints as a temporary workaround until a patch is available. Avoid using the `command1` parameter in the "frontend/x2/cron/editcronsimple.html" endpoint until the issue is resolved. Restrict access to the "frontend/x2/sql/adddb.html", "frontend/x2/sql/adduser.html", and "frontend/x2/ftp/doaddftp.html" endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Francisco Burzi PHP-Nuke versions 7.0 through 8.1 my123tkShop e-Commerce-Suite version 0.9.1 phpMyBitTorrent version 1.2.2 TorrentFlux version 2.3 e107 version 0.7.11 WebZE version 0.5.9 Open Media Collectors Database version 1.5.0b4 Labgab version 1.1 **Description** The CAPTCHA implementation uses a code bg.jpg background image and the PHP `ImageString` function in a way that produces an insufficient number of different images. This allows remote attackers to pass the CAPTCHA test via an automated attack using a table of all possible image checksums and their corresponding digit strings. **Recommendations** For Francisco Burzi PHP-Nuke versions 7.0 through 8.1, consider implementing a more secure CAPTCHA system that produces a sufficient number of different images. For my123tkShop e-Commerce-Suite version 0.9.1, restrict access to sensitive areas of the application until a more secure CAPTCHA system is implemented. For phpMyBitTorrent version 1.2.2, disable the CAPTCHA test until a patch is available that addresses the issue. For TorrentFlux version 2.3, avoid using the `ImageString` function for CAPTCHA generation until a more secure alternative is available. For e107 version 0.7.11, consider using a different CAPTCHA implementation that is not vulnerable to automated attacks. For WebZE version 0.5.9, restrict access to the CAPTCHA-protected areas of the application until a more secure CAPTCHA system is implemented. For Open Media Collectors Database version 1.5.0b4, disable the CAPTCHA test until a patch is available that addresses the issue. For Labgab version 1.1, consider implementing a more secure CAPTCHA system that produces a sufficient number of different images.

**Name of the Vulnerable Software and Affected Versions** Etomite version 0.6.1.4 Final **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML. The issue is disputed by the vendor, who claims the affected variable is `$ SERVER['PHP SELF']` and states that this is not an Etomite-specific exploit. **Recommendations** For Etomite version 0.6.1.4 Final, consider restricting access to the `index.php` file until a patch is available. As a temporary workaround, avoid using the `$ SERVER['PHP SELF']` variable in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Centreon version 1.4.1 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `fileOreonConf` parameter to (1) "MakeXML.php" or (2) "MakeXML4statusCounter.php" in include/monitoring/engine/. **Recommendations** For Centreon version 1.4.1, consider restricting access to the `MakeXML.php` and `MakeXML4statusCounter.php` files in the include/monitoring/engine/ directory to minimize the risk of exploitation. Avoid using the `fileOreonConf` parameter in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phPay version 2.02.01 **Description** The issue allows remote attackers to conduct directory traversal attacks and include and execute arbitrary local files via a .. (dot dot backslash) in the `config` parameter. This is due to an incomplete blacklist vulnerability in the main.php file. **Recommendations** For phPay version 2.02.01, consider restricting access to the `config` parameter in the main.php file to minimize the risk of exploitation. Avoid using the `config` parameter with untrusted input until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpRPG version 0.8 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is possible via the `username` parameter in index.php when magic quotes gpc is disabled. **Recommendations** For phpRPG version 0.8, consider enabling magic quotes gpc to prevent SQL injection attacks. As a temporary workaround, restrict access to the index.php file or avoid using the `username` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Anon Proxy Server versions 0.100 through 0.101 **Description** The issue allows remote attackers to execute arbitrary commands via shell metacharacters in the `host` parameter to "diagdns.php" and the `host` parameter, and possibly the `port` parameter to "diagconnect.php". **Recommendations** For Anon Proxy Server versions 0.100 through 0.101, consider disabling access to the diagdns.php and diagconnect.php scripts until a patch is available. Restrict input for the `host` and `port` parameters in these scripts to prevent command execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 123tkShop version 0.9.1 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved by providing a base64-encoded value of the `admin` parameter to the "shop/admin.php" endpoint. **Recommendations** For version 0.9.1, consider restricting access to the "shop/admin.php" endpoint until a fix is available, and avoid using the `admin` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Simple Machines Forum (SMF) version 1.1.3 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting a SQL injection vulnerability in the Sources/Search.php file when MySQL 5 is used. The vulnerability can be triggered via the `userspec` parameter in a search2 action to "index.php". **Recommendations** For Simple Machines Forum (SMF) version 1.1.3, avoid using the `userspec` parameter in the search2 action to "index.php" until a fix is available. Consider restricting access to the search functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** iG Shop version 1.4 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in the compare product.php file. **Recommendations** For version 1.4, avoid using the `id` parameter in the compare product.php file until the issue is resolved. As a temporary workaround, consider restricting access to the compare product.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** iGeneric iG Shop versions 1.0 through 1.4 **Description** The issue allows remote attackers to execute arbitrary code via the `action` parameter, which is supplied to an `eval` function call in files such as `cart.php` and `page.php`. **Recommendations** For iGeneric iG Shop versions 1.0 through 1.4, consider disabling the `eval` function calls in `cart.php` and `page.php` until a patch is available. Avoid using the `action` parameter in the affected files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** iG Calendar version 1.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in the user.php file. **Recommendations** For version 1.0, avoid using the `id` parameter in the user.php file until the issue is resolved. As a temporary workaround, consider restricting access to the user.php file to minimize the risk of exploitation.