Language Selection

English French German Italian Portuguese Spanish

Flaws Found in MySQL Tracking System

Filed under
Security

Flaws have been found in MySQL Eventum 1.5.5 and prior that allow malicious users to conduct cross-site scripting and SQL injection attacks.

Eventum is an issue-tracking system that can be used by support departments to track incoming technical support requests or by a software development team to organize tasks and bugs. According to MySQL AB's site, Eventum is used by the MySQL AB Technical Support team "to dramatically improve" its response times.

One of the flaws, reported on Monday by security alerts aggregator Secunia Inc., has to do with the way input is passed to the "id" parameter in "view.php," the "release" parameter in "list.php" and the "F" parameter in "get_jsrs_data.php."

According to Secunia's report, input is not properly sanitized before being returned to users. This can be used to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Secunia's report goes on to say that certain input passed to the release, report and authentication classes is also not being properly sanitized before being used in a SQL query. This can be used to manipulate the queries by injecting arbitrary SQL code.

Secunia rates the bugs as moderately critical, but the researcher who originally found them-James Bercegay of GulfTech Security Research Team-reported that they're highly exploitable and that they should be patched immediately.

The flaws can be found in versions 1.5.5 and prior. Eventum users should update to Version 1.6.0, which was released on Saturday. Click here for the new version's release notes.

By Lisa Vaas
eWeek

More in Tux Machines

OSS Leftovers

  • Nextcloud 12 Officially Released, Adds New Architecture for Massive Scalability
    Nextcloud informs Softpedia today about the official availability of the final release of Nextcloud 12, a major milestone of the self-hosting cloud server technology that introduces numerous new features and improvements. The biggest new feature of the Nextcloud 12 release appears to be the introduction of a new architecture for massive scalability, called Global Scale, which is a next-generation open-source technology for syncing and sharing files. Global Scale increases scalability from tens of thousands of users to hundreds of millions on a single instance, while helping universities and other institutions significantly reduce the costs of their existing large installations.
  • ReactOS 0.4.5 Open-Source Windows-Compatible OS Launches with Many Improvements
    ReactOS 0.4.5 is a maintenance update that adds numerous changes and improvements over the previous point release. The kernel has been updated in this version to improve the FreeLoader and UEFI booting, as well as the Plug and Play modules, adding support for more computers to boot ReactOS without issues.
  • Sprint Debuts Open Source NFV/SDN Platform Developed with Intel Labs
    AT&T has been the headliner in the carrier race to software defined networking (SDN) and network function virtualization (NFV). But Sprint is putting its own stamp on the space this week with its debut of a new open source SDN/NFV mobile core solution.
  • Google’s New Home for All Things Open Source Runs Deep
    Google is not only one of the biggest contributors to the open source community but also has a strong track record of delivering open source tools and platforms that give birth to robust technology ecosystems. Just witness the momentum that Android and Kubernetes now have. Recently, Google launched a new home for its open source projects, processes, and initiatives. The site runs deep and has several avenues worth investigating. Here is a tour and some highlights worth noting.
  • Making your first open source contribution
  • Simplify expense reports with Smart Receipts
    The app is called Smart Receipts, it's licensed AGPL 3.0, and the source code is available on GitHub for Android and iOS.
  • How the TensorFlow team handles open source support
    Open-sourcing is more than throwing code over the wall and hoping somebody uses it. I knew this in theory, but being part of the TensorFlow team at Google has opened my eyes to how many different elements you need to build a community around a piece of software.
  • IRC for the 21st Century: Introducing Riot
    Internet relay chat (IRC) is one of the oldest chat protocols around and still popular in many open source communities. IRC's best strengths are as a decentralized and open communication method, making it easy for anyone to participate by running a network of their own. There are also a variety of clients and bots available for IRC.

Tizen News: Phones and TVs

  • Tizen 3.0-powered Samsung Z4 now available with offline retailers in india
    The Samsung Z4, the fourth smartphone in Samsung’s Z series and a successor to the Z2 (and not the Z3, as many would assume), has been formally announced and made an appearance at the Tizen Developer Conference (TDC 2017) this past week. The Z4 was rumoured to make its way to India on May 19th (Friday) and it did – arriving with offline retailers after launching in the country last Monday (one week ago).
  • Samsung 2017 QLED TVs World First to support autocalibration for HDR
  • Samsung approves You.i TV video platform for Tizen TV app development
    While Samsung has developed Tizen TV apps using JavaScript, You.i TV’s Engine Video app runs on Native Client (NACL), a web technology that does not only allows C++ applications to run in a standard browser but is said to be 24 times faster than JavaScript. Now that Samsung has approved You.i TV’s video engine platform, developers can craft more video content for Tizen Smart TV owners.
  • Samsung Smart TV gets a new Glympse app that enables location sharing on the TV
    Samsung Smart TV, powered by the intuitive, self-developed Tizen operating system, has gotten a cool new app which enables consumers to view the location of their friends, loved ones or even a pizza delivery or cable technician in real-time directly from their home’s largest screen. The new app is developed by Glympse, the leading real-time location services platform.

How To Encrypt DNS Traffic In Linux Using DNSCrypt

​Dnscrypt is a protocol that is used to improve DNS security by authenticating communications between a DNS client and a DNS resolver. DNSCrypt prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven’t been tampered with. DNSCrypt is available for multi-platforms including Windows, MacOS, Unix, Android, iOS, Linux and even routers. Read
more

Debian-Based Untangle 13.0 Linux Firewall Tackles Bufferbloat, Adds New Features

Untangle NG Firewall, the open-source and powerful Debian-based network security platform featuring pluggable modules for network apps, has been updated to version 13.0, a major release adding new features and numerous improvements. The biggest improvement brought by the Untangle NG Firewall 13.0 release is to the poor latency generated by excess buffering in networking equipment, called bufferbloat, by supporting a queueing algorithm designed to optimize QoS and bandwidth to enforce a controlled delay. Read more