Language Selection

English French German Italian Portuguese Spanish

Flaws Found in MySQL Tracking System

Filed under
Security

Flaws have been found in MySQL Eventum 1.5.5 and prior that allow malicious users to conduct cross-site scripting and SQL injection attacks.

Eventum is an issue-tracking system that can be used by support departments to track incoming technical support requests or by a software development team to organize tasks and bugs. According to MySQL AB's site, Eventum is used by the MySQL AB Technical Support team "to dramatically improve" its response times.

One of the flaws, reported on Monday by security alerts aggregator Secunia Inc., has to do with the way input is passed to the "id" parameter in "view.php," the "release" parameter in "list.php" and the "F" parameter in "get_jsrs_data.php."

According to Secunia's report, input is not properly sanitized before being returned to users. This can be used to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Secunia's report goes on to say that certain input passed to the release, report and authentication classes is also not being properly sanitized before being used in a SQL query. This can be used to manipulate the queries by injecting arbitrary SQL code.

Secunia rates the bugs as moderately critical, but the researcher who originally found them-James Bercegay of GulfTech Security Research Team-reported that they're highly exploitable and that they should be patched immediately.

The flaws can be found in versions 1.5.5 and prior. Eventum users should update to Version 1.6.0, which was released on Saturday. Click here for the new version's release notes.

By Lisa Vaas
eWeek

More in Tux Machines

Leftovers: Gaming

  • Garry's Mod and Rust Dev Say Linux Is a Second Class Citizen
    Garry Newman, the developer behind the famous Garry's Mod and the survival MMO Rust, has made some very interesting comments about the lack of Linux players and why his studio doesn't really care about the open source platform.
  • Last Chance to Get "The Last Federation" 4X Strategy with an 80% Price Cut
  • Get the "Gone Home" FPS Puzzle Game with a Huge 88% Discount on Steam
    FPS adventure game Gone Home is now available on Steam for Linux with huge 88% price cut that will last for another day. Gone Home is a story driven game that is like nothing you've ever played until now. You don't get to meet anyone, and you don't get to interact with any other character. You're just trying to solve a mystery. Despite the fact that there are no enemies, and you don't get hurt in any way, the game manages to keep the suspense going with ease, and that's mostly due to the script and the gameplay itself.
  • Unity Game Engine to Get a Native Linux Editor Soon
    Unity is a game engine that managed to get a lot of developers and fans in the past couple of years. Even if it supports the Linux platform, there are no Linux tools just yet, and the developers have explained why that happened.
  • Vendetta Online 1.8.342 Brings Rendering Optimizations for OpenGL 4 and DirectX 11
    Guild Software announced this past weekend the availability of a new update for their Vendetta Online science-fiction MMORPG (Massively Multiplayer Online Role-Playing Game) for Windows, Android, Linux, Mac OS X, and iOS operating systems.
  • Solar 2 for Linux Review
    Solar 2 is described by its developers as a sandbox universe, but that doesn't quite cover it. And when you're having a problem describing the gameplay, you know that you have some something special.
  • Introducing SteamOS "brewmaster"
    Valve is pleased to announce the preview of the next SteamOS release, codenamed "brewmaster" and based on the latest Debian 8.1 stable release.

Android Leftovers

OSS Leftovers

  • Libreboot Now Supports An AMD/ASUS Motherboard
    The Libreboot "fork" of Coreboot now has support for its first AMD motherboard -- or more broadly, its first desktop motherboard.
  • IBM Insists It’s Open to Open Source
    So it’s interesting when a senior IBM exec turns up in a keynote slot. Big Blue’s heritage, at least at the high end, had for years been dominated by proprietary architecture. No longer, said Doug Balog, general manager of IBM Power Systems. The founding of OpenPOWER roughly two years ago, sale of IBM’s x86 business, and the sprint away from the formidable but proprietary Blue Gene (and re-embrace of the battle-tested mainframe) are all part of IBM’s about-face.
  • The Open Information Security Foundation Joins Open Source Initiative as Affiliate Member
    The Open Source Initiative® (OSI) today announced that The Open Information Security Foundation (OISF) has been accepted as an Affiliate Member. “The OSI is excited to welcome OISF,” said Patrick Masson, General Manager and Director at the OSI. "Just as we're seeing with open source software projects, more and more organizations are looking for support from mature, robust and relevant security communities. The OISF and the open source technologies they support are ready to help and we're happy to promote their good work."
  • The evolution of the big data platform at Netflix
    I caught up with Eva to get a bit of a background on her, Netflix, and how open source is being used to improve services at Netflix. Not only has Netflix used and contributed to existing open source projects, but they have released their own projects like Genie as open source. To learn more about Netflix's open source projects you can pursue their GitHub.
  • ATO Opens Reg – Releases Partial Speakers List
    The All Things Open conference today pushed out a notification to recipients on its mailing list announcing that registration for the event, slated for October 19th and 20th. has begun. For the first time ever, event organizers are offering something of a super early bird special: Buy a ticket before July 7th and get admission for both days for only $99 — which is a deal since that’s what a single day will cost once the Early Bird Special kicks-in next Tuesday.
  • NZ Open Source firm opens up free cloud option for Kiwi developers
    New Zealand-based global open source company Catalyst has announced that Kiwi software development companies can build on the Catalyst Cloud for free.
  • New component versioning, Technical Committee highlights, and more OpenStack news
  • The job is not done until the documentation is complete
    And yet there is a lot of really good documentation out there. For example, the documentation for LibreOffice is excellent. It includes several documents in multiple formats including HTML and PDF that range from "Getting Started" to a very complete user's guide for each of the LibreOffice applications.
  • Roundcube Next crowdfunding success and community
    A couple days ago, the Roundcube Next crowdfunding campaign reached our initial funding goal. We even got a piece on Venture Beat, among other places. This was a fantastic result and a nice reward for quite a bit of effort on the entire team's part.
  • DragonFlyBSD 4.2 Released: Brings Improved Graphics & New Compiler
    DragonFlyBSD 4.2 was released this morning as the next major release to this popular BSD operating system. For end-users there are a lot of notable changes with this update.
  • Call for Testing: Valgrind on OpenBSD
    The editors are certainly salivating over the possibility of valgrinding our way to victory.
  • Cracking the Code: U.S. House of Representatives Allows Use Of Open Source Software
    As the executive branch of the United States government quietly works on creating an official open source policy, the legislative branch is also moving into the 21st century: Open source software is now officially permitted in the U.S. House of Representatives. That means software developed in the People's House with taxpayer funds will eventually be available to the people. According to the nonpartisan OpenGov Foundation, there will soon be an Open Source Caucus in Congress.

Linux: Boldly Going Where We’ve Not Gone Before

Right now, my refrigerator uses Linux, as does the thermostat that controls the climate of my home. The washer and dryer components and firmware with the touch control screens are built on Linux (Amana if you want to look it up). The navigation system on my old Ford Explorer is based on Linux. Our home entertainment center has a touch screen control based on Ubuntu. Read more