lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 3 Feb 2015 13:28:13 +0800
From: Jing Wang <justqdjing@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] My Little Forum Multiple XSS Security Vulnerabilities

*My Little Forum Multiple XSS Security Vulnerabilities*




Exploit Title: My Little Forum Multiple XSS Security Vulnerabilities
Vendor: My Little Forum
Product: My Little Forum
Vulnerable Versions: 2.3.3  2.2  1.7
Tested Version: 2.3.3  2.2  1.7
Advisory Publication: Feb 2, 2015
Latest Update: Feb 2, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]








*Advisory Details:*

*(1) Vendor & Product Description*

*Vendor:*
My Little Forum



*Product & Version:*
My Little Forum
2.3.3
2.2
1.7



*Vendor URL & Download:*
http://mylittleforum.net/




*Product Description:*
“my little forum is a simple PHP and MySQL based internet forum that
displays the messages in classical threaded view (tree structure). It is
Open Source licensed under the GNU General Public License. The main claim
of this web forum is simplicity. Furthermore it should be easy to install
and run on a standard server configuration with PHP and MySQL.”






*(2) Vulnerability Details:*
My Little Forum has a security problem. It can be exploited by XSS attacks.


*(2.1) *The first vulnerability occurs at "forum.php?" page with "page",
"category" parameters.




*(2.2)* The second vulnerability occurs at "board_entry.php?" page with
"page", " order" parameters.




*(2.3)* The third vulnerability occurs at  "forum_entry.php" page with
"order", "page" parameters.








*References:*
http://tetraph.com/security/xss-vulnerability/my-little-forum-multiple-xss-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/my-little-forum-multiple-xss-security.html








--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists