lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFWG0-jeUm0ZphWOAtLj5fcFzYKnoXdUmXjNkEvm4Kzh3sWELw@mail.gmail.com> Date: Tue, 3 Feb 2015 13:28:13 +0800 From: Jing Wang <justqdjing@...il.com> To: fulldisclosure@...lists.org Subject: [FD] My Little Forum Multiple XSS Security Vulnerabilities *My Little Forum Multiple XSS Security Vulnerabilities* Exploit Title: My Little Forum Multiple XSS Security Vulnerabilities Vendor: My Little Forum Product: My Little Forum Vulnerable Versions: 2.3.3 2.2 1.7 Tested Version: 2.3.3 2.2 1.7 Advisory Publication: Feb 2, 2015 Latest Update: Feb 2, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: * CVSS Severity (version 2.0): CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] *Advisory Details:* *(1) Vendor & Product Description* *Vendor:* My Little Forum *Product & Version:* My Little Forum 2.3.3 2.2 1.7 *Vendor URL & Download:* http://mylittleforum.net/ *Product Description:* “my little forum is a simple PHP and MySQL based internet forum that displays the messages in classical threaded view (tree structure). It is Open Source licensed under the GNU General Public License. The main claim of this web forum is simplicity. Furthermore it should be easy to install and run on a standard server configuration with PHP and MySQL.” *(2) Vulnerability Details:* My Little Forum has a security problem. It can be exploited by XSS attacks. *(2.1) *The first vulnerability occurs at "forum.php?" page with "page", "category" parameters. *(2.2)* The second vulnerability occurs at "board_entry.php?" page with "page", " order" parameters. *(2.3)* The third vulnerability occurs at "forum_entry.php" page with "order", "page" parameters. *References:* http://tetraph.com/security/xss-vulnerability/my-little-forum-multiple-xss-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/02/my-little-forum-multiple-xss-security.html -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists