Language Selection

English French German Italian Portuguese Spanish

Flaws Found in MySQL Tracking System

Filed under
Security

Flaws have been found in MySQL Eventum 1.5.5 and prior that allow malicious users to conduct cross-site scripting and SQL injection attacks.

Eventum is an issue-tracking system that can be used by support departments to track incoming technical support requests or by a software development team to organize tasks and bugs. According to MySQL AB's site, Eventum is used by the MySQL AB Technical Support team "to dramatically improve" its response times.

One of the flaws, reported on Monday by security alerts aggregator Secunia Inc., has to do with the way input is passed to the "id" parameter in "view.php," the "release" parameter in "list.php" and the "F" parameter in "get_jsrs_data.php."

According to Secunia's report, input is not properly sanitized before being returned to users. This can be used to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Secunia's report goes on to say that certain input passed to the release, report and authentication classes is also not being properly sanitized before being used in a SQL query. This can be used to manipulate the queries by injecting arbitrary SQL code.

Secunia rates the bugs as moderately critical, but the researcher who originally found them-James Bercegay of GulfTech Security Research Team-reported that they're highly exploitable and that they should be patched immediately.

The flaws can be found in versions 1.5.5 and prior. Eventum users should update to Version 1.6.0, which was released on Saturday. Click here for the new version's release notes.

By Lisa Vaas
eWeek

More in Tux Machines

Head 2 Head: Android OS vs. Chrome OS

A large part of Google’s OS success hasn’t been because of its awesomeness. No. Frankly, we think nothing speaks louder than the almighty dollar in this world. But both are “free,” right? So this is tie? Not really. Although Android is technically free since Google doesn’t charge device makers for it, there are costs associated with getting devices “certified.” Oh, yeah, and then there’s Apple and Microsoft, both of which get healthy payouts from device makers through patent lawsuits. Microsoft reportedly makes far more from Android sales than Windows Phone sales. You just generally don’t see the price because it’s abstracted by carriers. Chrome OS, on the other hand, actually is pretty much free. A top-ofthe-line Chromebook is $280, while a top-of-the-line Android phone full retail is usually $600. We’re giving this one to Chrome OS because if it’s generally cheaper for the builder, it’s cheaper for you. Read more

Kodi (XBMC Media Center) 14.2 Officially Released, Kodi 15 “Isengard” Is On Its Way

The Kodi development team, through Nathan Betzen, had the pleasure of announcing today, March 28, the immediate availability for download of the second and last maintenance release for Kodi 14 (codename Helix), before they continue with the development cycle for the upcoming release, Kodi 15, dubbed Isengard. Read more

Debian 8 Jessie Installer Now Supports Running a 64-bit Linux Kernel on a 32-bit EFI

The Debian Installer team had the pleasure of announcing on March 27 that the second Release Candidate (RC) version of the Debian 8.0 "Jessie" installer is now available for download and testing. The RC2 version of the installer brings a great number of improvements and fixes. Read more

First Look at GNOME 3.16

The highly anticipated GNOME 3.16 desktop environment for Linux kernel-based operating systems has been announced on March 26, 2015, and has been declared by the GNOME development team as the best GNOME release yet. Of course, we wanted to give GNOME 3.16 desktop environment a try and see for ourselves the new features, apps, and improvements. Read more