*My Little Forum Multiple XSS Security Vulnerabilities*




Exploit Title: My Little Forum Multiple XSS Security Vulnerabilities
Vendor: My Little Forum
Product: My Little Forum
Vulnerable Versions: 2.3.3  2.2  1.7
Tested Version: 2.3.3  2.2  1.7
Advisory Publication: Feb 2, 2015
Latest Update: Feb 2, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]








*Advisory Details:*

*(1) Vendor & Product Description*

*Vendor:*
My Little Forum



*Product & Version:*
My Little Forum
2.3.3
2.2
1.7



*Vendor URL & Download:*
http://mylittleforum.net/




*Product Description:*
“my little forum is a simple PHP and MySQL based internet forum that
displays the messages in classical threaded view (tree structure). It is
Open Source licensed under the GNU General Public License. The main claim
of this web forum is simplicity. Furthermore it should be easy to install
and run on a standard server configuration with PHP and MySQL.”






*(2) Vulnerability Details:*
My Little Forum has a security problem. It can be exploited by XSS attacks.


*(2.1) *The first vulnerability occurs at "forum.php?" page with "page",
"category" parameters.




*(2.2)* The second vulnerability occurs at "board_entry.php?" page with
"page", " order" parameters.




*(2.3)* The third vulnerability occurs at  "forum_entry.php" page with
"order", "page" parameters.








*References:*
http://tetraph.com/security/xss-vulnerability/my-little-forum-multiple-xss-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/my-little-forum-multiple-xss-security.html








--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/