Language Selection

English French German Italian Portuguese Spanish

Flaws Found in MySQL Tracking System

Filed under
Security

Flaws have been found in MySQL Eventum 1.5.5 and prior that allow malicious users to conduct cross-site scripting and SQL injection attacks.

Eventum is an issue-tracking system that can be used by support departments to track incoming technical support requests or by a software development team to organize tasks and bugs. According to MySQL AB's site, Eventum is used by the MySQL AB Technical Support team "to dramatically improve" its response times.

One of the flaws, reported on Monday by security alerts aggregator Secunia Inc., has to do with the way input is passed to the "id" parameter in "view.php," the "release" parameter in "list.php" and the "F" parameter in "get_jsrs_data.php."

According to Secunia's report, input is not properly sanitized before being returned to users. This can be used to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Secunia's report goes on to say that certain input passed to the release, report and authentication classes is also not being properly sanitized before being used in a SQL query. This can be used to manipulate the queries by injecting arbitrary SQL code.

Secunia rates the bugs as moderately critical, but the researcher who originally found them-James Bercegay of GulfTech Security Research Team-reported that they're highly exploitable and that they should be patched immediately.

The flaws can be found in versions 1.5.5 and prior. Eventum users should update to Version 1.6.0, which was released on Saturday. Click here for the new version's release notes.

By Lisa Vaas
eWeek

More in Tux Machines

Linux Devices

Open Source Software A Core Competency For Effective Tech M&A

Imagine your company just acquired its competitor for $100 million. Now imagine the company’s most important asset – its proprietary software – is subject to third-party license conditions that require the proprietary software to be distributed free of charge or in source code form. Or, imagine these license conditions are discovered late in the diligence process, and the cost to replace the offending third-party software will costs tens of thousands of dollars and take months to remediate. Both scenarios exemplify the acute, distinct and often overlooked risks inherent to the commercial use of open source software. An effective tech M&A attorney must appreciate these risks and be prepared to take the steps necessary to mitigate or eliminate them. Over the past decade, open source software has become a mainstay in the technology community. Since its beginnings, open source software has always been viewed as a way to save money and jumpstart development projects, but it is increasingly being looked to for its quality solutions and operational advantages. Today, only a fraction of technology companies do not use open source software in any way. For most of the rest, it is mission critical. Read more

AMD Graphics

SUSE Leftovers

  • Git, Kernels, LightDM, More update in Tumbleweed
    Topping the list of updates for snapshot 20161129 was the update to Light Display Manager 1.21.1, which added an Application Programming Interface (API) version to the greeter-daemon protocol for future enhancements. Other updates in the snapshot include openVPN, which added a recommended utility for network and traffic protocols, and subpackages for systemd relevant for 32-bit users. Desktop manager xfdesktop updated to version 4.12.3 and introduced rotating wallpaper images if the images contain rotation information. The programming language vala, which aims to bring modern programming language features to GNOME developers without imposing any additional runtime requirements, updated in the 20161129 and 20161201 snapshots.
  • openSUSE Leap 42.1 upgrade to Leap 42.2
  • openSUSE Tumbleweed – Review of the Week 2016/49
    I’m sure nobody doubted it, but Tumbleweed is back on the roll! And in fact, we did the impossible and released 8 snapshots in a week. This review will cover {1201..1208}.