Database - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Database


Flaws Found in MySQL Tracking System



 By: Lisa Vaas
2005-08-01
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Database story.


Rate This Article:
Poor Best
The issues, which allow for cross-site scripting and SQL injection attacks, reside in MySQL Eventum 1.x.

Flaws have been found in MySQL Eventum 1.5.5 and prior that allow malicious users to conduct cross-site scripting and SQL injection attacks.

Eventum is an issue-tracking system that can be used by support departments to track incoming technical support requests or by a software development team to organize tasks and bugs. According to MySQL ABs site, Eventum is used by the MySQL AB Technical Support team "to dramatically improve" its response times.

One of the flaws, reported on Monday by security alerts aggregator Secunia Inc., has to do with the way input is passed to the "id" parameter in "view.php," the "release" parameter in "list.php" and the "F" parameter in "get_jsrs_data.php."

Resource Library:
According to Secunias report, input is not properly sanitized before being returned to users. This can be used to execute arbitrary HTML and script code in a users browser session in the context of an affected site.

Secunias report goes on to say that certain input passed to the release, report and authentication classes is also not being properly sanitized before being used in a SQL query. This can be used to manipulate the queries by injecting arbitrary SQL code.

Secunia rates the bugs as moderately critical, but the researcher who originally found them—James Bercegay of GulfTech Security Research Team—reported that theyre highly exploitable and that they should be patched immediately.

The flaws can be found in versions 1.5.5 and prior. Eventum users should update to Version 1.6.0, which was released on Saturday. Click here for the new versions release notes.

Check out eWEEK.coms for the latest database news, reviews and analysis.



  Reader Comments: Flaws Found in MySQL Tracking System
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Database Articles          >>> More By Lisa Vaas
 


x}r㶲qUQSok)ٖ:-K3dwKEQĘ"yHʶ&7/nK3n7>h$s& 4F%\8ȴ'-dghgܛƃ%{m !F&(ː Q2D7,w5 E6eNFF72Mۀp{瑐g-FF5%SÜL|k&FV6gel&8ۤp)LEg hrڀ'|pP8"XKE!H|2Gu淌q}؁䛟 f:AǙMLT Xfu~kʷP&3GGdY pWM,2,U)m H |`<O LE1nd-Gr#g3n]6YjTUE*rM);^!`#L{hT9ݙ۟](弪*Jw9ΐg -;7$v^ԂZt{ݳ>~l_\[r  +tm%&џ@DR/ L$" ԆNI^:ǗH5=V)G~ZjZAUԺZP\u]1H0CВƔ^J >/U}s}I}r~|i!|#%ĐTT行ĠKW:k1㽩zq{vzrq۹:Y?vN=$O#lhFBmIqjʿupsO|ikx8ȽPe0Hj&3??]4R/:'$#mDO0io,Yn_eHFdB&rF~DXy,@( 7G.ֈoi@.@ ;CkG7oiDViMSC "d>̌@#X\257fI23< MV1tF Zvf8yᾪDK2T3}PEe,E]!d}N9}E$o# ci gQ%M ##8Q$f.r;uKZ#΃asʪ:QY' ++BMMe֏zZTpx=i[7Sһ^tZ0ű,<]cg%¥,՛(VʵXu =Y9z *R-,b aˠqa٥B}d4}|7fhNޏ̭12Pmkh|?ƒ(6hʋm<<7MI7j0i\|3r޺~LnE*Fsfn#@E%-DCsGjɦMfBu#08wɽ 59P5ͻ5PA1LDe!PCh' 6 H|` Qi^3-mhZQ 11]Æ.v.bA/)o{A 4$@!"5i]FP@Br6< -84rrܑzqTRP*m=őtLATz,QύgR1| yi| 23CE$ɤ<96r"򈀥T/G@7Mᅚ6F5oY,*uUT7DkB{<6u0 uu=ֈ` [X& '5$&.n*q<5f0s'<#} Gzuo\f33-5=01yc^@kjƦiԀfLSS \ f?6`Z&FLio<` Xu-{ rG#7ql9`n5Ɖ<\y͏/3ۀ}Q.jiOu^N_N#i[}7UۄVs*vCLD_UbtȔu>I.VB)3OHт9oU 6g4$lr%eʇRy`OǰA67 \O @݋))"'Fѫ6Uc p!jlٔo-V,J?Ս͋7z1(a]k-|pH"ohm^xSK~OGi+5mB iHM:P6 2HE3Kīd(k7u(-Яk)=P0U) KaTEsXbƧ*P H~0.j(T 3XމvP=|$=Cr;::6(*'||$eǝ:~SJiX$ 5_ {ܧuQLHx=e\84Y_`.EVб3abea;k UK_Hq:nmV ҇D-0ڠM ECMk =͝vm|sQ_.)|>FBDkd"9vd\6˰@m;<#OMgd^hʗȥi@ @Mn̡gg᠒/ 88qx3?74PV(&<kJuF 2qÌa&?@R*C13ghjmF{ǙX$!MT_&E) 4 Z7̈́oh>'F9o'<7 |a"= ilm% m"rAb L$Tt`naR@:hѫS6c-4.&tl?`>"! }gxil~؇J9E! x"JPVblxOcC-JT*8Ya7scRJOHCx /Oqr}w9jF>)qkw~T}j6݁ r-4|pqZEL)YvQ'ЌXodH]M;fG 2cM)D+D#`4 (.+N*H|憑zP0s~J~7qz9aN:߮ c2F=5}}vn:N (589g&B1FGt19<"pwC*j>o_awg* AvW>`S 4E&Ji;@+aZs~Ԋkt Cn71UЇޠuōRU y~m; 4]pHRT 5TS;N7w T/V )6iU!b h/A3ET7edUrCꋰ(Gp釛Lk Pi(Y|;` 2fVȭNV4Nդ_#tz}C ϳ{WՒK؈ʹ! =xփu8XAaϨɦZ+UA ׃0 IǸ}wsW>~U=2%Xhݢ5FJ95p393nL|# @Qk5VZ`Y` lBX`sIefjqiS))rT*H-E4lqMݗ8nHCo`ks_20TeHSm 9 =@EZЊqcꞃSjXK9my U8e1 SeS˕2p}[ r3/0ւ/ T_@DytxЊ´7*Q7P#I?++~ E'Quzۢ*+JǸ}V;{ZP1n== Ю@xLl NKt!/Ӡ.f]kg{Q.q)3b/t~egt~7!zK'7溋,<̭,i&"N^Vp'ZkԔ5)yZK0שUI-T R"Li;J墪AR'P4G##u(L)!=HP?,V[_-JV.SA%lz֏'ɶw96R_#*S7o~F)ɡ$o P(ӌ㘌4/^^fՏjUԅ@/I6K.P;=BE6@oěK~{s9JϺW}uٹtg|F0q3fnt3o;QA^-{T. J/GT'jMթԹlo0.[-4JLTHN]ۮ _l{9Elus^aehoo~Aqy!3Gan߽p.[7;W%EūU[[wys=Bw"E rBݫ='Mxyq&mRGԳ|mXc?$]w ` ){sھaĂKӌU _/hkUlJ| AY:]ӟz V`!斁w>?(W:s` $X*9Xu2ӻh}d'e؋n# m! x35CW( W2K颌 lN'ݛ# <9WxEщ]ݾ~Iy.~y>~4~h+0waAϤnkFK6I{qHH 'E?]/g{$i!^) >$Eɪ7@GdjFQJ"8^;n)>mZ|b=`Rr P) >Gb ev-mQRu]$ޡ ''HvUQZrl*= 8Q ƻ%h/4gk3@ \:NL[ıp߆ ?G.9rFQ=%&`qOeP#G]9.ğ?#g6vQ!]rE}CZW qW=J{( #d8z+Cr $>0S̱;F_maF }҅i Cq3̋k&4Mila ZC<U>Q%Fq : S+]0':YґSC?(r3w y^/!* vx˯Xb5EbJX/{zn \V-QfI G'0paeE& no8ESTZOQmjFQ!n| gܤCCTtڗ8 &JnИgs<, ǀ"җ5 sIIPZpiŞUhAT- FK=Vꈚx;ȮhXi>}7Ɯ듼#^-p& sLKj-_S!AcgbP94'$g@' K]kwuT%ub͝^ ]笛mַKx0-W[GG x ښCEӖ*j]T +H R@T﴿.*|-tz1v/;ʶZxur $A ƽaZR|ؤ"!JZ ctJx s\Cٲ\ͧPmK`lZbלh OB _dGK>NDiJ1}1_Ʈ\j/+"ˑoAfQyz5֤K7NjC&-͒lJ@F(Xd@m&l2FCsg!=oX`Kx5S&oڶ?`-j0֥ܽ|{TGE 7S;6 "A$H"I ;C?_] oIsoXH2 O74ϻ4tnzSuS(\϶tb43&!ே^YK4_cK+bΥtk%Mp=^HّXSwH{v`$ByB˳zFZ~3%yԟ8=Ѽu[gݒ^yI3qx*.h!lf([AK0h;<# Ar8z`eI쀈EϯeцaDIKVWYWK`xI 8rwįH7!Z^ oIP/0W'\R-E'2)Psʑ3nG]fԅޥ0KFI\k)5_&BʜHHHHziRAY5HvA1v5Lj<%] 2`lt`E`k`\#-$ s^lCHgX?'[vEܵğm+t]Ywj] SduUEx3}P@$qHG\I]Uiy>.]ܹ_f쵮z. c61;B y+I!$ x"\ Odlm?۶xaGjCD0)JUH ԍP(ߣ$j{Mw[dN׎;3Mr@纨u:u=u=inH xwft1!؂_If#0mĆYa-"4J86"),⌲ffm_)ss*X)T&惣\̓^9#0Dìcg1 R89W T|b~v.uvc<Ჶmq(nP|emeYʀ{"^I 6Y-#z0bdm6^Ti:uw>;Eސu-4&NexFP9T suWqI54)w/ Q,?.=3c($$m ":[I}bp2Q0 0]ID ܔ=˿C)3A; AoCu&E[{Ud?$?pMl<9Կ xI~I574!<8&ɸQކB8j ]K-;cnrߺHY_3=5keEk |=EB|uڷ#/%B*_=$.XTX?һ\] u=(Tew{хLDNtWιJPLzcWF胒=%hQ!,R/)YEs(ľ1G?&l[aXn[-W9#"H ]? ?XQ=^P_7E~oY+]Gu.91 E tC1f^VZ~=b;=G/5tIjbIAL2·{rn "rI gPǰJ-R(*ut x5F9_VRdu|d:/OVDs"ɓ`U8?Yu_OՃv&, ]4_1]қQ㉠D37: 3wQ70)s^E][=,u 4e^zA~duZlKLܴڳA$ 8Ieu3,4 DE"%m]쪅J~jA)j]oS|UU*jy ykڰjE7r ~ҜdILqg:g~祒Z,Tˉ5Zq0,61N͙A1q b#?(vBAfkǽ%vB#cb>>.W5V]M5ނV(]T8!/0޻s{)#ᷭ lslҸ7= HuWknR)ݛ9%^tByF _`bu{Ψ9 : RJk=_}oK|EmmqV]%F-bd 3 皭٦v l񄘊N=#󫛰Ћ/sYl'=rch> 1 2BvôUhY6#ZIixw<6鱆׸⩔)ڏxmĀ>Jg #J Ӵ$q&kh[ky~nʏjUԅoh}2 pT`3Ԫ+) 2@s857>|?zY}*07%& kE$73ãH 㱁>CTDcrn(N[J sJsFcsM9%o%P` Wl85nj=rOs@yTP"xB(aWE$@/4'4(l!Lb=aJ ͔$u}s ̌`:s]- .bE.wh34+0fC |83 Àk~thQQC>exd{Ca >u=2bs!R;<^QAsqҘ(@"! Dwwˈc$\c|EWo(KRW:P l+RPhq>_N+v'7hi,V"CRA$R_t/ Hj WPȺ70!5P }jڟj4Lu}}uoHݴۤwrӹwW}ѽSUXך_&ۓߩ9O'OgM窟ix :/U E`\ %UMC9-Þ0i% "G}Iw]$ }UQY\׭ę]/~x0۲!F8[Ll?tz[7^OMVk!?=#tɉ3J:o}˜ 7~7څʐTjz47Sa1:hEOWL3TY)<ۺrHINIMI'-VJzһ)H駀vJ lN?=}J;ygsz4윦C:)CL*%IiϽL^J'H9_Ļ SK{Ke ~.)LKDJGH~)_BeJ:U^\UuݔwAtSOK7E\}\5N)sB?=/=/}~ _6B_!cZ:cJ>>oҁ~oSM6ĹNR!HoYN/T8)L8^Jei+Oi鰄:KIAz<++B/nvS < ?S_R ̴T_;'Sq]5|rgJW=m _yڞiQq$M)n؀+G{2Th k[yD` S`+F&Ь͗'hވu]j= gE0$E>4v tKw%,_YnƊ6KL~QgΒ'WidN@(Bf.]oAx2KA1_u)tn} 2?hĻM.Apt2m>kvS0[W_,tnE3UܴO\[hg?>/ݙg֦k3ckp'k͠6K搅H>Yivw,dk6Uףj(-@B~@o1 Jz·VVq3Ntc}p}sպ\޷G{>k蓥-F>gA7gP !F}C{+ B2) O=9G1Kh wcXy#6WxJ= =n;q∈ w>EU-+;_*L= æ;/3F$yEVط V-+R0XN^;QHJvmo*!F06Rs p*1XE&|`czQca(HKjⅲ_ Basaokh;b?@(n[^A%|kBCx?3 ٷϤiZzI [d7趥P:a䃿 d,ؓ5thǝaarV݃x~4VQ7{"rBv 53]jҐ9qE/ړ^Gx-£< X6-0gx}Sv3F~Z\Xyd?@ IFM&ɱA{.yZBsb)LC~YzE˫!Cc^ݱ;); pQ.`:}xsh^zq - Fo^AOev^N;:Q)ǁ֠}^A Pr-f$ǖ2x_06cSWb=LNVg'];-'.4}u;uc9dt1kN϶{3[;!t~5u7L _^;_s|j:WS&?IFaHLLĞQ[ =5ὧߞsLHd z"mѱwlffPc>P`n皒L߰ wب}t:פX-j==N@6AыpO`ĵ!wBh/x8gez帪J{\U mD^ )4M몈ޝe%[!%#95 q1II0ڜ =nVoUSmO@ +cz{g0S^plo KQQ9֒_|wc[%mY $z|N<=ر\4#eI.~=o M*GKDÍHqp/^ r·!#`AyH h6N>74+J' "@2x̴eNc.ьbj#m'%84C<غQֺbߟ0ml.n;+Ltw;qVgtf#H95sGu`'e!MkfG6 $߂*04o9/hˤDakEdt;(\-T2~5f*RWD K)0AƂ?qL669~Sg _ 9^,Bayx+oZPF`qQ;Z?] m-)k8~mA=y{̴+UՇJpCֶ)tfOK!eX m'NEתr^rFXջ&gqptzAѺ v7" aAЗn-/适9@ O{:p3利o6r3 XC2[<î,:u` {];ռ7gؕc׮<& ӟvj$оs4tXk`V|ָ+fo3ЈeƟ{0^ma,mkHMO,, [뙗Zg']Y.hj=E" ؑ~)j fY ]Rj(n~7xH>%7mAb;kڱL}`O}q4QzV+5%ժrXo4lQ/y|>]z0q7jPϥ7Y ï3CZvZB}𗃟X:/bi=|id~ee`D 7IJT.I :m=6S@>p e,5F,?kHː ĴhvT͡ 'o@,ERr>~ŞcNMJ9OXGSqq鵂}Ȓ˕XA CCsXwZ}@ @߂g'J @ o-"IgPf( WK@Ýu͡OLihڲn>"sw j ?’Q+t=ad*?k<2,mko4n@=B]޵_36Q}0TVcQIQ E(gQ^Q=i| ·\UM TI*Fk8`K Rf.û+͉OTDЫǁygfWW#W%zxȮ /&+N:ﯺ7m;^\˛s#\o]*me.\*M4mśnPK"mGx뛽' ܳP@~SD締ػbnhCjἤ4A3 XTNК,z2/ ߁@4zt >D YЈqh, i8'LAd(\t"hg[$:9X,_ėOua,XG-( 1TF8k&^qD+ TflhxYJ"W-uڌX[+9-MNؒh ;T>ޜ?6)e@: fA##mڲ %xq ic=..5nr RGB9vue9XԠ z Սޑ,0{E嚋+V_>/gXx̓VBiAƄLl@ LrlYmQ3D' *"։ k]:?ա{N #@ = J9Xc\׳a-6A" z:HхI ~^,N(g8A@d  &ܥŔ?)u~"YQgE\f"K?Kmُ H&Y}$o~+mIҎ,?@Bn)M--OsL 4zn]N<Ԇ$B{uIf,PXZayGޭxY2w[:ZnqRɦ}Z״O6 /yM ]1\T@CLTLWi`p_/mB1?,9HHMale WtmF(I7:Y0=XCYhSX,GVu$7Qo2\#_^0S0ޠÊOdx.E}{RF.["YRuo&~6Ere<_֯Z$#計3pL42 ב _}F0vZ521F3pn,zUG^ϻkx*|t7=(/t|k‚f*dc17GJ#[+٣;kxF =U.nx7C1 0Z d.kLCf?`냳U_:k]v.>q\} M -< UK:"^/$bQ*