Paul Johnston

Name of the Vulnerable Software and Affected Versions: Opera (affected versions not specified) Description: The issue allows web sites to set cookies for country-specific top-level domains that have DNS A records. This could enable remote attackers to perform a session fixation attack and hijack a user's HTTP session. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Mozilla Firefox versions 0.9.2 through 2.x Description: The issue allows web sites to set cookies for country-specific top-level domains, which could enable remote attackers to perform a session fixation attack and hijack a user's HTTP session. Recommendations: For Mozilla Firefox versions 0.9.2 through 2.x, consider restricting the setting of cookies for country-specific top-level domains to minimize the risk of session fixation attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeScripts VisitorBook LE (affected versions not specified) **Description** The issue allows remote attackers to use the VisitorBook as an open mail relay when $mailuser is 1, via extra headers in the `email` field. Additionally, it enables attackers to cause the guestbook database to be deleted via a large number of line breaks that exceeds the `$max posts` variable. This occurs because the software does not properly escape line breaks in input. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeScripts VisitorBook LE (affected versions not specified) **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This allows remote attackers to inject arbitrary HTML or web script via several parameters, including the `do` parameter, the `user` parameter from a host with a malicious reverse DNS name, and via quote marks or ampersands in other parameters. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeScripts VisitorBook LE (affected versions not specified) **Description** The issue allows remote attackers to spoof the origin of their incoming requests, facilitating cross-site scripting (XSS) attacks. This is possible because the FreeScripts VisitorBook LE logs the reverse DNS name of a visiting host. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.