https://www.exploit-db.com/exploits/23313
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200310-091

Ledscripts.comLedForumsBeta1版本中的index.php存在跨站脚本(XSS)漏洞。远程攻击者可以通过（1）top_message参数或（2）新线程的主题字段来注入任意Web脚本或HTML。

source: http://www.securityfocus.com/bid/8934/info

It has been reported that LedForums is prone to a HTML injection vulnerability that may allow an attacker to execute HTML code in a user's browser. The issue is reported to be present in the 'top_message' and 'topic' fields. This problem is due to insufficient sanitization of user-supplied input.

Successful exploitation of this vulnerability may allow an attacker to steal cookie-based authentication credentials. Other attacks are also possible.

LedForums Beta 1 has been reported to be vulnerable to this issue.

http://www.example.com/~path/index.php?top_message=<script>alert(document.cookie)</script>
http://www.example.com/~path/index.php?top_message=<h1>OWNED?%20*g*</h1>

<script>window.location='http://www.example.org'</script>

来源:XF
名称:ledforums-topicfield-redirect(13563)
链接:http://xforce.iss.net/xforce/xfdb/13563
来源:XF
名称:ledforums-indexphp-xss(13562)
链接:http://xforce.iss.net/xforce/xfdb/13562
来源:BID
名称:8934
链接:http://www.securityfocus.com/bid/8934
来源:BUGTRAQ
名称:20031030MultipleVulnerabilitiesinLed-Forums
链接:http://www.securityfocus.com/archive/1/342913
来源:SECUNIA
名称:10113
链接:http://secunia.com/advisories/10113