Language Selection

English French German Italian Portuguese Spanish

Flaws Found in MySQL Tracking System

Filed under
Security

Flaws have been found in MySQL Eventum 1.5.5 and prior that allow malicious users to conduct cross-site scripting and SQL injection attacks.

Eventum is an issue-tracking system that can be used by support departments to track incoming technical support requests or by a software development team to organize tasks and bugs. According to MySQL AB's site, Eventum is used by the MySQL AB Technical Support team "to dramatically improve" its response times.

One of the flaws, reported on Monday by security alerts aggregator Secunia Inc., has to do with the way input is passed to the "id" parameter in "view.php," the "release" parameter in "list.php" and the "F" parameter in "get_jsrs_data.php."

According to Secunia's report, input is not properly sanitized before being returned to users. This can be used to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Secunia's report goes on to say that certain input passed to the release, report and authentication classes is also not being properly sanitized before being used in a SQL query. This can be used to manipulate the queries by injecting arbitrary SQL code.

Secunia rates the bugs as moderately critical, but the researcher who originally found them-James Bercegay of GulfTech Security Research Team-reported that they're highly exploitable and that they should be patched immediately.

The flaws can be found in versions 1.5.5 and prior. Eventum users should update to Version 1.6.0, which was released on Saturday. Click here for the new version's release notes.

By Lisa Vaas
eWeek

More in Tux Machines

Leftovers: OSS

  • Codesmith Students Garner National Praise for Open-Source Contributions
    Reactide is an Integrated Development Environment built for React, which intends to make React development easier for Software Engineers. The project has been widely praised, amassing over 6,000 stars on GitHub.
  • Airbnb’s new open source library lets you design with React and render to Sketch
    Today, Airbnb’s design team open sourced its internal library for writing React components that easily render directly to Sketch. Instead of trying to get Sketch to export to code, the Airbnb team spent its time on the opposite — putting the paintbrush in the hands of the engineer.
  • [Older] Telecoms copying cloud providers make beeline for open source, say analysts
    The supersonic growth of Amazon Web Services and other cloud providers in the past few years owes much to open-source communities that fed them cutting-edge tech free-of-charge. Now telecom is mimicking this strategy through involvement with the Linux Foundation, according to Scott Raynovich (@rayno) (pictured, right), guest host of theCUBE, SiliconANGLE Media’s mobile live streaming studio.
  • Get a Preview of Apache IoT Projects at Upcoming ApacheCon
    The countdown until ApacheCon North America has begun. The blockbuster event will be in Miami this year and runs May 16-18. The Apache community is made up of many niche communities and ApacheCon offers something for all of them. Here, Roman Shaposhnik, Director of Open Source, Pivotal Inc., who is heading the Apache IoT track at the ApacheCon conference, gave us a sneak peek of what the Apache Internet of Things community can look forward to at the event.
  • Free Webinar on Starting a Collaborative Open Source Project
  • Oracle draws curtains on OmniOS
    With its openly stated operational remit of ‘aggressive acquisitions’ (albeit positively aggressive), Oracle is (very) arguably a firm known for buying, swallowing, acquiring those companies it decides to consume.
  • Partners Healthcare, Persistent Systems to develop open-source platform
  • Libreboot Applies to Rejoin GNU
    Last week we reported that after reorganization, Libreboot was considering rejoining GNU and was seeking input from its community to determine the amount of support it had for such a move. From reading the comments posted both on our article on FOSS Force and on Libreboot’s website, it comes as no surprise that the project’s core members feel they have the necessary consesus to proceed. Last night, FOSS Force received an email — sent jointly to us and Phoronix — letting us know of the decision. Rather than repeat what’s already been written and said on the subject (for that, follow the first link above), we’re publishing a slightly edited version of the email, which will pretty much bring everyone up to date on the situation.

Security updates and no more patches from grsecurity (without a fee)

  • Security updates for Wednesday
  • GrSecurity Kernel Patches Will No Longer Be Free To The Public
    The GrSecurity initiative that hosts various out-of-tree patches to the mainline Linux kernel in order to enhance the security will no longer be available to non-paying users. GrSecurity has been around for the better part of two decades and going back to the 2.4 kernel days. In 2015 the stable GrSecurity patches became available to only commercial customers while the testing patches had still been public. That's now changing with all GrSecurity users needing to be customers.
  • Passing the Baton: FAQ
    This change is effective today, April 26th 2017. Public test patches have been removed from the download area. 4.9 was specifically chosen as the last public release as being the latest upstream LTS kernel will help ease the community transition.
  • grsecurity - Passing the Baton
    Anyone here use grsecurity and have any thoughts about this?

Microsoft-Connected Forrester and Black Duck Continue to Smear FOSS

More Coverage of Kali Linux 2017.1 Release

  • Kali Linux 2017.1 Security OS Brings Wireless Injection Attacks to 802.11 AC
    Offensive Security, the developers of the BackTrack-derived Kali Linux open-source, security-oriented operating system announced the availability of the Kali Linux 2017.1 rolling release. Since Kali Linux become a rolling distro, the importance of such updated images was never the same, but Kali Linux 2017.1 appears to be a major release of the ethical hacking distro, adding a bunch of exciting new features and improvements to the Debian-based operating system.
  • Kali Linux 2017.1 Released With New Features | Download ISO Files And Torrents Here
    Offensive Security has updated the Kali Linux images with new features and changes. Termed Kali Linux 2017.1, this release comes with support for wireless injection attacks to 802.11ac and Nvidia CUDA GPU. You can simply update your existing installation by running few commands if you don’t wish to download the updated images from Kali repos.