Language Selection

English French German Italian Portuguese Spanish

Flaws Found in MySQL Tracking System

Filed under
Security

Flaws have been found in MySQL Eventum 1.5.5 and prior that allow malicious users to conduct cross-site scripting and SQL injection attacks.

Eventum is an issue-tracking system that can be used by support departments to track incoming technical support requests or by a software development team to organize tasks and bugs. According to MySQL AB's site, Eventum is used by the MySQL AB Technical Support team "to dramatically improve" its response times.

One of the flaws, reported on Monday by security alerts aggregator Secunia Inc., has to do with the way input is passed to the "id" parameter in "view.php," the "release" parameter in "list.php" and the "F" parameter in "get_jsrs_data.php."

According to Secunia's report, input is not properly sanitized before being returned to users. This can be used to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Secunia's report goes on to say that certain input passed to the release, report and authentication classes is also not being properly sanitized before being used in a SQL query. This can be used to manipulate the queries by injecting arbitrary SQL code.

Secunia rates the bugs as moderately critical, but the researcher who originally found them-James Bercegay of GulfTech Security Research Team-reported that they're highly exploitable and that they should be patched immediately.

The flaws can be found in versions 1.5.5 and prior. Eventum users should update to Version 1.6.0, which was released on Saturday. Click here for the new version's release notes.

By Lisa Vaas
eWeek

More in Tux Machines

today's howtos

KDE/Qt

  • Device Tailored Compositors with Qt Wayland at CLAAS E-Systems
    Have you heard about software in cars that run on embedded devices? Do you think that creating such software might be challenging? Well, welcome to a complete new world of complexity, welcome to the world of agriculture machines! For many years, automatic steering (on fields), terminals to control the complex mechanical operations of a self-driving 16 ton combine harvester on a soft ground, and self-optimization systems to optimize any tiny bit of your harvester, are key demands from customers. I, myself, am working at CLAAS E-Systems, the electronics and software department within the CLAAS group. Our group is well known for being among the leading manufacturers for combine harvesters, tractors and forage harvesters.
  • Qt Wayland Is Next Appearing On Tractors & Farm Equipment
    With Qt 5.8's Qt Wayland Compositor Framework taking shape, more developers are beginning to tailor a Qt Wayland compositor to their use-cases. One of those is a company specializing in farm equipment like combine harvesters, tractors, and harvesters. As a guest post on the official Qt blog, developer Andreas Cord-Landwehr of CLAAS E-Systems talked up Qt Wayland for their purposes in the highly-regulated agriculture industry.
  • KDevelop 5.1 Open-Source IDE Launches with LLDB and OpenCL Support, Many Changes
    The development team behind the popular, open-source, cross-platform, free and powerful KDevelop IDE (Integrated Development Environment) were proud to announce the official release and general availability of KDevelop 5.1. KDevelop 5.1 is now the most advanced stable version of the application, which is written entirely in Qt and designed to be used on various GNU/Linux distributions that usually ship with the KDE Plasma desktop environment, but also on the latest releases of the Microsoft Windows operating system.

Leftovers: Gaming

GNOME News: GNOME 3.24 Everywhere

  • GNOME 3.24 released
    The GNOME Project is proud to announce the release of GNOME 3.24, "Portland".
  • GNOME 3.24 Released, This Is What’s New
    Hurrah! GNOME 3.24 is now available to download. The latest stable release of the open-source GNOME desktop, GNOME 3.24 brings a number of new features and improvements to the proverbial table, including one that might even help you sleep better!
  • GNOME 3.24 Linux desktop environment is here
    My absolute favorite desktop environment for Linux is GNOME. Quite frankly, if the DE went away tomorrow, I might have to rethink my use of Linux entirely. Yeah, I am that passionate about it. Environment aside, the GNOME experience also includes a collection of applications, creating a coherent user experience.
  • GNOME 3.24 Released
    GNOME 3.24, the latest version of GNOME 3, is now available. Introducing an updated platform and applications, the release includes a number of major new features and enhancements, as well as many smaller improvements and bug fixes. 3.24 represents another step forward for GNOME, and has much to offer both users and developers.