Bug #9370 Eventum vulnerablity
Submitted: 23 Mar 2005 22:37 Modified: 24 Mar 2005 16:03
Reporter: D R Email Updates:
Status: Not a Bug Impact on me:
Category:Eventum Severity:S1 (Critical)
Version:unknown OS:Windows (Windows Server 2k3)
Assigned to: Bugs System CPU Architecture:Any

[23 Mar 2005 22:37] D R
The target device is running a flawed version of MySQL Eventum, a PHP issue tracking system. The multiple vulnerabilities include cross site scripting, an undocumented admin account, theft of credentials, and multiple PHP input variables which do not sanitize input parameters. Solution : Upgrade to Eventum v1.4 or greater. 

Is there a fix for this?


How to repeat:
running a scan on our server detected this. We are running VAM I am uncertain what else I can give you.
[23 Mar 2005 22:39] D R
FYI I cannot find a windows version of this on your website, just the tar file and uncertain how to upgrade eventum.
[23 Mar 2005 23:05] Joao Prado Maia

The fix for this is to upgrade your currently installed copy of Eventum. The tarball available from MySQL is compatible with Windows and should be used to upgrade your installation. Follow the instructions found on the UPGRADE file for more details.

[24 Mar 2005 15:55] D R
This doesnt make any sense, I didnt install eventum, I cannot find the working directory for eventum on my server. Can you assist?

[24 Mar 2005 16:03] Joao Prado Maia

I'm not sure how I can help you. If you didn't install Eventum, who did?

If you want to search for where Eventum is installed, maybe try doing a full-text search for the word "eventum" in any PHP file?