Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane

From: Jing Wang <justqdjing-Re5JQEeQqe8AvxtiuMwx3w <at> public.gmane.org>
Subject: [FD] My Little Forum Multiple XSS Security Vulnerabilities
Newsgroups: gmane.comp.security.fulldisclosure
Date: Tuesday 3rd February 2015 05:28:13 UTC (over 3 years ago)
*My Little Forum Multiple XSS Security Vulnerabilities*




Exploit Title: My Little Forum Multiple XSS Security Vulnerabilities
Vendor: My Little Forum
Product: My Little Forum
Vulnerable Versions: 2.3.3  2.2  1.7
Tested Version: 2.3.3  2.2  1.7
Advisory Publication: Feb 2, 2015
Latest Update: Feb 2, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]








*Advisory Details:*

*(1) Vendor & Product Description*

*Vendor:*
My Little Forum



*Product & Version:*
My Little Forum
2.3.3
2.2
1.7



*Vendor URL & Download:*
http://mylittleforum.net/




*Product Description:*
“my little forum is a simple PHP and MySQL based internet forum that
displays the messages in classical threaded view (tree structure). It is
Open Source licensed under the GNU General Public License. The main claim
of this web forum is simplicity. Furthermore it should be easy to install
and run on a standard server configuration with PHP and MySQL.”






*(2) Vulnerability Details:*
My Little Forum has a security problem. It can be exploited by XSS attacks.


*(2.1) *The first vulnerability occurs at "forum.php?" page with "page",
"category" parameters.




*(2.2)* The second vulnerability occurs at "board_entry.php?" page with
"page", " order" parameters.




*(2.3)* The third vulnerability occurs at  "forum_entry.php" page with
"order", "page" parameters.








*References:*
http://tetraph.com/security/xss-vulnerability/my-little-forum-multiple-xss-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/my-little-forum-multiple-xss-security.html








--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
 
CD: 12ms