Friday February 15, 2022
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 Mambo Multiple Vulnerabilities
  3 MySQL Eventum Multiple Vulnerabilities
  4 Multiple Invision Power Board Vulnerabilities
  5 Geeklog Remote Code Execution
  6 XMB Forums Multiple Vulnerabilities
  7 Gallery 2 Multiple Vulnerabilities
  8 phpRPC Library Remote Code Execution
  9 RunCMS Multiple Vulnerabilities
10 Kayako LiveResponse Multiple Vulnerabilities
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Archives Research
MySQL Eventum Multiple Vulnerabilities
July 31, 2021
Vendor : MySQL AB
URL : http://dev.mysql.com/downloads/other/eventum/
Version : MySQL Eventum <= 1.5.5
Risk : Multiple Vulnerabilities


Description:
Eventum is a user-friendly and flexible issue tracking system that can be used by a support department to track incoming technical support requests, or by a software development team to quickly organize tasks and bugs. Eventum is used by the MySQL AB Technical Support team. Unfortunately Eventum is vulnerable to some highly exploitable SQL Injection issues as well as cross site scripting issues. A new version of Eventum has been released and users are strongly advised to upgrade their Eventum installations.


Cross Site Scripting:
There are a number of cross site scripting issues in MySQL Eventum. You can find several examples of these issues below.

http://eventum/view.php?id=1'%22%3E%3Ciframe%3E
http://eventum/list.php?keywords=&users;=&category;=&release;=%22%3E%3Ciframe%3E
http://eventum/get_jsrs_data.php?F=wee%22%3E%3Ciframe%3E

A malicious user can exploit these vulnerabilities to steal sensitive user based information, or render hostile script in the context of the victim's web browser.


SQL Injection:
MySQL Eventum is a very well written program, and does a good job to protect against harmful input. However, there are a few some what blind SQL Injection issues in Eventum, and these issues are very exploitable. First, let's have a look at /includes/class.auth.php
    /**
     * Checks whether the provided password match against the email 
     * address provided.
     *
     * @access  public
     * @param   string $email The email address to check for
     * @param   string $password The password of the user to check for
     * @return  boolean
     */
    function isCorrectPassword($email, $password)
    {
        $stmt = "SELECT usr_password FROM " . APP_DEFAULT_DB . "." . APP_TABLE_PREFIX . "
	user WHERE usr_email='$email'";
        $passwd = $GLOBALS["db_api"]->dbh->getOne($stmt);
        if (PEAR::isError($passwd)) {
            Error_Handler::logError(array($passwd->getMessage(), $passwd->getDebugInfo()), 
	    __FILE__, __LINE__);
            return false;
        } else {
            if ($passwd != md5($password)) {
                return false;
            } else {
                return true;
            }
        }
    }

MySQL Eventum usually sanitizes within functions, so as expected the $email variable is never sanitized before being passed to this vulnerable function. Also, if the target host is using a database that supports UNION functionality then we can overwrite the expected returned password, and bypass the password check! The above issue is very dangerous, but there is a nearly identical function used alongside the isCorrectPassword function named userExists() and it is vulnerable in an almost identical manner. In addition to the "pre-auth" SQL Injection vulns are a few other SQL Injection vulnerabilities.

/reports/custom_fields.php->/includes/class.report.php->getCustomFieldReport()
/reports/custom_fields_graph.php->/includes/class.report.php->getCustomFieldReport()
/manage/releases.php->/includes/class.release.php->insert()

The above is a rough outline of the other vulnerable functions that have been patched in the recent 1.6.0 release. Users should upgrade immediately.


Solution:
A new version of MySQL Eventum has been released. The official release notes can be found at the link below.

http://lists.mysql.com/eventum-users/2072

Special thanks to Joao Prado Maia from the MySQL Eventum team for a very quick resolution of these issues.


Credits:
James Bercegay of the GulfTech Security Research Team