← Advisories

Oracle MySQL Eventum 2.3 Remote Script Insertion Vulnerabilities

Medium
Advisory ID
ZSL-2011-4989
Release Date
11 February 2011
Vendor
MySQL AB / Oracle Corporation - http://forge.mysql.com/wiki/Eventum
Affected Version
2.3 and 2.2
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41
Summary

Eventum is a user-friendly and flexible issue tracking system that can be used by a support department to track incoming technical support requests, or by a software development team to quickly organize tasks and bugs.

Description

Eventum suffers from a cross-site scripting vulnerability. The persistent (stored) XSS issue is triggered when input passed via the 'keywords' parameter to the list.php script is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Or, you can trigger the issue when parsing the string '<script>alert(1)</script>' into the search box and it will be stored every time you navigate back to the list.php page. If there's no activity the stored string will self execute every 5 minutes. 'forgot_password.php' and 'select_project.php' are also vulnerable because they fail to perform filtering when using the REQUEST_URI variable.

Script: eventum-2.3/lib/eventum/class.auth.php: Line 90: $failed_url .= "&url=" . urlencode($_SERVER['REQUEST_URI']); Line 131: self::redirect("select_project.php?url=" . urlencode($_SERVER['REQUEST_URI']), $is_popup); -- Script: eventum-2.3/templates/current_filters.tpl.html Line: 11: <b>{$filter_name}</b>: {$filter_value}{if !$smarty.foreach.active_filters.last}; {/if} -- Script: eventum-2.3\lib\pear\HTTP.php: Line 318: $url = isset($_SERVER['REQUEST_URI']) ? Line 319: $_SERVER['REQUEST_URI'] : $_
Proof of Concept
eventum_xss.txtTXT
Disclosure Timeline
19.01.2011Vulnerability discovered.
22.01.2011Reported issue to the vendor with included details thru their bug reporting system.
24.01.2011Vendor responds and confirms vulnerabilities issuing a fix.
10.02.2011Vendor releases version 2.3.1 - http://launchpad.net/eventum/trunk/2.3.1/+download/eventum-2.3.1.tar.gz
11.02.2011Coordinated public advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://launchpad.net/eventum
[2]https://launchpad.net/eventum/+milestone/2.3.1
[3]http://bazaar.launchpad.net/~eventum-developers/eventum/trunk/revision/4260
[4]http://bazaar.launchpad.net/~eventum-developers/eventum/trunk/revision/4290
[5]http://packetstormsecurity.org/files/98423
[6]http://securityreason.com/wlb_show/WLB-2011020046
[7]http://secunia.com/advisories/43320/
[8]http://www.securitytracker.com/id/1025077
[9]https://bugs.launchpad.net/eventum/+bug/706385
[10]http://www.vupen.com/english/advisories/2011/0391
[11]http://www.securityfocus.com/bid/46380
[12]http://osvdb.org/show/osvdb/70960
[13]http://osvdb.org/show/osvdb/70961
[14]http://www.nessus.org/plugins/index.php?view=single&id=52054
Changelog
11.02.2011Initial release
12.02.2011Added reference [5] and [6]
14.02.2011Added reference [7]
15.02.2011Added reference [8], [9] and [10]
16.02.2011Added reference [11]
06.03.2011Added reference [12], [13] and [14]