Language Selection

English French German Italian Portuguese Spanish

Flaws Found in MySQL Tracking System

Filed under
Security

Flaws have been found in MySQL Eventum 1.5.5 and prior that allow malicious users to conduct cross-site scripting and SQL injection attacks.

Eventum is an issue-tracking system that can be used by support departments to track incoming technical support requests or by a software development team to organize tasks and bugs. According to MySQL AB's site, Eventum is used by the MySQL AB Technical Support team "to dramatically improve" its response times.

One of the flaws, reported on Monday by security alerts aggregator Secunia Inc., has to do with the way input is passed to the "id" parameter in "view.php," the "release" parameter in "list.php" and the "F" parameter in "get_jsrs_data.php."

According to Secunia's report, input is not properly sanitized before being returned to users. This can be used to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Secunia's report goes on to say that certain input passed to the release, report and authentication classes is also not being properly sanitized before being used in a SQL query. This can be used to manipulate the queries by injecting arbitrary SQL code.

Secunia rates the bugs as moderately critical, but the researcher who originally found them-James Bercegay of GulfTech Security Research Team-reported that they're highly exploitable and that they should be patched immediately.

The flaws can be found in versions 1.5.5 and prior. Eventum users should update to Version 1.6.0, which was released on Saturday. Click here for the new version's release notes.

By Lisa Vaas
eWeek

More in Tux Machines

Download latest Linux-based LibreELEC Krypton -- Kodi addons like Exodus and Covenant will work

The Kodi media center is facing a lot of scrutiny in the media lately. Some people feel that the negative coverage is "fake news." It is important to remember that Kodi is not illegal. With that said, it can be made so with piracy-related addons. Since Kodi is open source, even if the developers removed the ability to install addons, other people could easily fork the code to add it back. Pandora's box cannot be closed. Many people that use Kodi do so with a dedicated Linux-based operating system, such as the excellent LibreELEC. You see, these distros exist only to run the open source media center, meaning there are no resources wasted on unnecessary things. Today, LibreELEC (Krypton) v8.1.2 BETA sees release. You can install it immediately, and don't worry -- your addons like Exodus and Covenant will work fine. Read more

Arduino unveils tiny, battery powered MKR boards for LoRa and 3G

Arduino launched two 67.6 x 25mm boards for wireless IoT nodes based on Atmel’s SAM D21 MCU: The MKR WAN 1300 offers LoRa, and the MKR GSM 1400 provides 3G. At the Maker Faire in New York this weekend, Arduino unveiled two new “MKR” IoT boards with the same 32-bit, Cortex-M0+ based Microchip/Atmel ATSAMD21 MCU used by last December’s MKRZero. Available for pre-order, with shipment in November, both the LoRa enabled, $39 Arduino MKR WAN 1300 and the 2G/3G ready, $69 Arduino MKR GSM 1400 measure 67.6 x 25mm. That’s only slightly larger than the 65 x 25mm MKRZero and earlier, WiFi-enabled MKR1000. Read more

AndEX Puts Android Marshmallow 6.0.1 64-Bit on Your PC with GAPPS and Netflix

GNU/Linux developer Arne Exton has released a new build of his Android-x86 fork AndEX that leverages Google's Android Marshmallow 6.0.1 mobile operating system for 64-bit PCs with various updates and improvements. Read more

today's leftovers

  • Future Proof Your SysAdmin Career: Advancing with Open Source
    For today’s system administrators, the future holds tremendous promise. In this ebook, we have covered many technical skills that can be big differentiators for sysadmins looking to advance their careers. But, increasingly, open source skillsets can also open new doors. A decade ago, Red Hat CEO Jim Whitehurst predicted that open source tools and platforms would become pervasive in IT. Today, that prediction has come true, with profound implications for the employment market. Participating in open source projects -- through developing code, submitting a bug report, or contributing to documentation -- is an important way to demonstrate open source skills to hiring managers.
  • FreeType Improvements For The Adobe Engine
    With FreeType 2.8.1 having been released last week, a lot of new code landed in the early hours of today to its Git repository. The code landed includes the work done this summer by Ewald Hew for Google Summer of Code (GSoC 17) adding support for Type 1 fonts to the Adobe CFF engine. Type 1 is an older, less maintained font format.
  • Are You Fond Of HDR Photography? Try Luminance HDR Application In Ubuntu/Linux Mint
    Luminance HDR is an graphical user interface that is used for manipulation and creation of High Dynamic Range(HDR) images. It is based on Qt5 toolkit, it is cross-platform available for Linux, Windows and Mac, and released under the GNU GPL license. It provides a complete workflow for High Dynamic Range(HDR) as well as Low Dynamic Range (LDR) file formats. Prerequisite of HDR photography are several narrow-range digital images with different exposures. Luminance HDR combines these images and calculates a high-contrast image. In order to view this image on a regular computer monitor, Luminance HDR can convert it into a displayable LDR image format using a variety of methods, such as tone mapping.
  • Opera Web Browser Now Has Built-in WhatsApp and FB Messenger, Install in Ubuntu/Linux Mint
  • Enterprise open source comes of age
    In the age of digitalisation and data centre modernisation, open source has come of age. This is demonstrated by the growth that enterprise open source software provider SUSE has enjoyed over the last months. “SUSE is in good shape,” says Nils Brauckmann, CEO of SUSE. “In the last year, revenue grew at 21%, and it was profitable growth.” Business is positive going forward, he adds, with SUSE now part of the larger mothership Micro Focus group following the completion this month of the HPE Software spin merger. “Micro focus is now the seventh-largest pure-play software vendor in the world, with revenues approaching $4,5-billion,” Brauckmann points out.
  • Red Hat, Microsoft Extend Alliance to SQL Server
  • UbuCon Europe 2017
    I’ve been to many Ubuntu related events before, but what surprises me every time about UbuCons is the outstanding work by the community organising these events. Earlier this month, I was in Paris for UbuCon Europe 2017. I had quite high expectations about the event/location and the talks, especially because the French Ubuntu community is known for hosting awesome events several times a year like Ubuntu Party and Ubuntu install parties.
  •