Language Selection

English French German Italian Portuguese Spanish

Flaws Found in MySQL Tracking System

Filed under
Security

Flaws have been found in MySQL Eventum 1.5.5 and prior that allow malicious users to conduct cross-site scripting and SQL injection attacks.

Eventum is an issue-tracking system that can be used by support departments to track incoming technical support requests or by a software development team to organize tasks and bugs. According to MySQL AB's site, Eventum is used by the MySQL AB Technical Support team "to dramatically improve" its response times.

One of the flaws, reported on Monday by security alerts aggregator Secunia Inc., has to do with the way input is passed to the "id" parameter in "view.php," the "release" parameter in "list.php" and the "F" parameter in "get_jsrs_data.php."

According to Secunia's report, input is not properly sanitized before being returned to users. This can be used to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Secunia's report goes on to say that certain input passed to the release, report and authentication classes is also not being properly sanitized before being used in a SQL query. This can be used to manipulate the queries by injecting arbitrary SQL code.

Secunia rates the bugs as moderately critical, but the researcher who originally found them-James Bercegay of GulfTech Security Research Team-reported that they're highly exploitable and that they should be patched immediately.

The flaws can be found in versions 1.5.5 and prior. Eventum users should update to Version 1.6.0, which was released on Saturday. Click here for the new version's release notes.

By Lisa Vaas
eWeek

More in Tux Machines

Create Your Own Free Software Project

Free software is tremendously democratic. Anyone with a computer and an internet connection can get involved – there are no barriers of wealth or social status. Being educated in computer science helps, but there are plenty of people working on free software at Red Hat, Canonical and Intel who’ve never been to university, and who acquired their positions simply by writing great code. So anyone can contribute to free software, and anyone can start a new project as well. But how do you turn that great idea in your head into a real-life success? The likes of SourceForge and GitHub are littered with now-abandoned projects with barely 50 lines of code, which initially started as grand ideas to create the next killer music player, email client or game. Yes, free software is awesome, but 95% of projects never get off the ground or are abandoned after a few weeks. Read more

Ubuntu 6.06 To Ubuntu 16.04 LTS Performance Benchmarks: 10 Years Of Linux Performance

As I'm in the process of retiring an old AMD Opteron dual-socket system, prior to decommissioning it, I figured it would be fun to go back and re-benchmark all of the Ubuntu LTS releases going all the way back to the legendary 6.06 Dapper Drake release. So here are some fresh benchmarks of this AMD Shanghai system with eight cores and 16GB of RAM when re-benchmarking the releases from Ubuntu 6.06 through the latest Ubuntu 16.04 LTS development state. Read more

The Talos Secure Workstation Is A High-Performance Libre System

Raptor Engineering is working on the Talos Secure Workstation, which is being advertised as a high-performance, open-to-the-firmware system that is much better than the commonly antiquated "freed" x86 systems. However, getting a high-performance, free software friendly workstation doesn't come cheap. Read more

Ubuntu Devs Might Skip the OTA-9.5 Hotfix in Favour of a Massive OTA-10 Update

We had just been informed by Łukasz Zemczak of Canonical about the latest things happening in preparation for the upcoming OTA updates for Ubuntu Phone devices. Read more