“my little forum is a simple PHP and MySQL based internet forum that displays the messages in classical threaded view (tree structure). It is Open Source licensed under the GNU General Public License. The main claim of this web forum is simplicity. Furthermore it should be easy to install and run on a standard server configuration with PHP and MySQL.
Usenet like threaded tree structure of the messages
Different views of the threads possible (classical, table, folded)
Categories and tags
BB codes and smilies
Template engine (Smarty)
Different methods of spam protection (can be combined: graphical/mathematical CAPTCHA, wordfilter, IP filter, Akismet, Bad-Behavior)
Localization: language files, time zone and UTF-8 support (see current version for already available languages)”
(2) Vulnerability Details:
My Little Forum web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
Several similar products vulnerabilities have been found by some other bug hunter researchers before. My Little Forum has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation's most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to XSS vulnerabilities.
(2.1) The first programming code flaw occurs at "forum.php?" page with "&page", "&category" parameters.
(2.2) The second programming code flaw occurs at "board_entry.php?" page with "&page", "&order" parameters.
(2.3) The third programming code flaw occurs at "forum_entry.php" page with "&order", "&page" parameters.