MySQL Eventum 1.31 Cross Site Scripting

Product:
MySQL Eventum Issue / Bug Tracking System

Released:
12/28/2004

Description:
MySQL Eventum 1.3.1 contains multiple multiple cross site scripting (XSS) vulnerabilities.

Systems Affected:
MySQL Eventum 1.3.1

Technical Description:
The Eventum bug tracking system has multiple variables that do not filter user supplied input. This could allow an attacker to perform Cross Site Scripting (XSS)
attacks.

XSS is possible in the following pages/fields:

  • index.php, email field: index.php?err=3&email="><script>alert(document.cookie)</script>
  • forgot_password.php, email field: forgot_password.php?email="><script>alert(document.cookie)</script>
  • preferences.php, fields: full_name, sms_email, list_refresh_rate, emails_refresh_rate
  • projects.php, fields: title, outgoing_sender_name

The preferences.php will save the XSS values and display them to any user that views the user's information (i.e., and administrator). These fields are
escaped to prevent SQL injection attacks.

Fix/Workaround:
MySQL reports Eventum release 1.4 resolves these issues.

Vendor Status:
MySQL was notified on 12/28/2004. The MySQL bug report system immediately makes issues public, which is why this release coincides with vendor disclosure.

Contacts:
sullo@cirt.net

References:
Updated information can be found on OSVDB.org under the following entries:

OSVDB-12606 MySQL Eventum index.php XSS
OSVDB-12607 MySQL Eventum forgot_password.php XSS
OSVDB-12608 MySQL Eventum preferences.php XSS
OSVDB-12609 MySQL Eventum projects.php XSS
Vulnerabilities: