Language Selection

English French German Italian Portuguese Spanish

Flaws Found in MySQL Tracking System

Filed under
Security

Flaws have been found in MySQL Eventum 1.5.5 and prior that allow malicious users to conduct cross-site scripting and SQL injection attacks.

Eventum is an issue-tracking system that can be used by support departments to track incoming technical support requests or by a software development team to organize tasks and bugs. According to MySQL AB's site, Eventum is used by the MySQL AB Technical Support team "to dramatically improve" its response times.

One of the flaws, reported on Monday by security alerts aggregator Secunia Inc., has to do with the way input is passed to the "id" parameter in "view.php," the "release" parameter in "list.php" and the "F" parameter in "get_jsrs_data.php."

According to Secunia's report, input is not properly sanitized before being returned to users. This can be used to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Secunia's report goes on to say that certain input passed to the release, report and authentication classes is also not being properly sanitized before being used in a SQL query. This can be used to manipulate the queries by injecting arbitrary SQL code.

Secunia rates the bugs as moderately critical, but the researcher who originally found them-James Bercegay of GulfTech Security Research Team-reported that they're highly exploitable and that they should be patched immediately.

The flaws can be found in versions 1.5.5 and prior. Eventum users should update to Version 1.6.0, which was released on Saturday. Click here for the new version's release notes.

By Lisa Vaas
eWeek

More in Tux Machines

Red Hat: British Army Deal, Hyperconverged Infrastructure, OpenShift, Soaring Share Price, and Fedora

today's howtos

Servers: Infrakit & LinuxKit, CMTL, ServiceMaster, Synology, Ubuntu, and NeuVector

  • Why Infrakit & LinuxKit are better together for Building Immutable Infrastructure?
    Let us accept the fact – “Managing Docker on different Infrastructure is still difficult and not portable”. While working on Docker for Mac, AWS, GCP & Azure, Docker Team realized the need for a standard way to create and manage infrastructure state that was portable across any type of infrastructure, from different cloud providers to on-prem. One serious challenge is that each vendor has differentiated IP invested in how they handle certain aspects of their cloud infrastructure. It is not enough to just provision n-number of servers;what IT ops teams need is a simple and consistent way to declare the number of servers, what size they should be, and what sort of base software configuration is required. Also, in the case of server failures (especially unplanned), that sudden change needs to be reconciled against the desired state to ensure that any required servers are re-provisioned with the necessary configuration. Docker Team introduced and open sourced “InfraKit” last year to solve these problems and to provide the ability to create a self healing infrastructure for distributed systems.
  • CMTL Testing First Linux Based Intel® Server Board
    The board is designed for HPC workload environments requiring parallel computing processing performance. Up to 72 cores for optional support and 100Gb/s node interconnect. Six slots for DDR4, 2400Mhz registered ECC DIMMS to achieve a capacity of 384G.
  • [Older] DNS Infrastructure at GitHub
    At GitHub we recently revamped how we do DNS from the ground up. This included both how we interact with external DNS providers and how we serve records internally to our hosts. To do this, we had to design and build a new DNS infrastructure that could scale with GitHub’s growth and across many data centers.
  • ServiceMaster polishes DevOps process for Linux container security
    ServiceMaster Global Holdings Inc., which owns consumer brands such as Terminix, Merry Maids, Furniture Medic and ServiceMaster Clean and Restore, deploys 75,000 service trucks to residential driveways each day. Five years ago, the company was taken private by an equity firm, and new leadership, including a new CIO, was brought in to modernize its operations. When it returned to the public market in 2014, the company had completely overhauled its approach to IT.
  • My Love Affair with Synology
    In my "Hodge Podge" article in the October 2016 issue, I mentioned how much I love the Synology NAS I have in my server closet (Figure 1). I got quite a few email messages from people—some wanting more information, some scolding me for not rolling my own NAS, and some asking me what on earth I need with that much storage. Oddly, the Linux-running Synology NAS has become one of my main server machines, and it does far more than just store data. Because so many people wanted more information, I figured I'd share some of the cool things I do with my Synology.
  • Certified Ubuntu Cloud Guest – The best of Ubuntu on the best clouds
    Ubuntu has a long history in the cloud. It is the number one guest operating system on AWS, Azure and Google Cloud Platform. In fact there are more Ubuntu images running in the public cloud than all other operating systems combined. Ubuntu is a free operating system which means anyone can download an image, whenever they want. So why should cloud providers offer certified Ubuntu images to their customers?
  • Cloud Foundry and Kubernetes: Different Tools
    It’s difficult to compare programming languages and platforms, of course, but this was the analogy that most frequently came to mind last week. Cloud Foundry is unlikely to be as popular as it was shortly after it launched, when it was the only open source PaaS platform available. But this says little about Cloud Foundry, and more about the platform market which – like every other infrastructure market – is exploding with choice to the point of being problematic. It also ignores the ability for the Cloud Foundry foundation to actively embrace this choice via the addition of Kubo.
  • Ubuntu OpenStack Pike Milestone 2
    The Ubuntu OpenStack team is pleased to announce the general availability of the OpenStack Pike b2 milestone in Ubuntu 17.10 and for Ubuntu 16.04 LTS via the Ubuntu Cloud Archive.
  • NeuVector Releases Open Source Tools to Help Enterprises Evaluate Kubernetes 1.6 Deployments for CIS Benchmark Compliance

Chromebook Dual Boot How-to: Ubuntu 17.04 GNOME and Chrome OS

Last year when I got my Acer Chromebook 11 (C740), I wrote a tutorial to teach you guys how to remove Google Chrome OS and install a GNU/Linux distribution of your choice, but things got boring. Read more