Critical Security Fix Releases: 2.3.1, 2.2.4, and 1.3.10

This is the release announcement for releases including the fixes for a critical security issue (#22690 for CVE-2017-7615), allowing a remote attacker to reset any user’s password, on all MantisBT instances where user signup or password reset are enabled, via a vulnerability in the Account verification page (verify.php).

MantisBT since 1.3.0-rc.2 (included) is affected, as well as all 2.x releases. The issue will be fixed in versions 1.3.10, 2.2.4, and 2.3.1, to be released soon.

This issue has been fixed in release 1.3.10, 2.2.4, and 2.3.1 that we just published.

Due to the nature and criticality of the bug, we sent last night an advance notification to users that are registered on our bug tracker, providing the following patch that can mitigate the issue.  If for any reason you can’t upgrade, go ahead and use the one line change below to patch your MantisBT instance.

Locate the if statement (at line 72 in 2.0.0-beta.3 and later, line 66 in older versions):

if( $f_confirm_hash != $t_token_confirm_hash ) {

change it to

if( $t_token_confirm_hash == null || $f_confirm_hash !== $t_token_confirm_hash ) {

You are strongly advised to patch your systems immediately.

We would like to take this opportunity to thank John Page aka hyp3rlinx from ApparitionSec (http://hyp3rlinx.altervista.org) for discovering, responsibly reporting and working with us towards resolution of this vulnerability.

Thanks,
-MantisBT Team

Posted in MantisBT | Tagged | Leave a comment

MantisBT 2.3.0, 2.2.3, and 1.3.9 released

MantisBT 2.3.0

Feature release including security fixes and our brand new experimental REST API.  The REST API can be extended by plugins and power web UI ajax features.  In this release the REST API is disabled by default (expect for calls from within the web UI using cookie authentication) – see 22598 for more details.

  • 22445[ui] Manage users page does not show filters ‘0’-‘9’ as selected (atrol)
  • 22474[administration] “Obsolete configuration” warnings when running admin checks (atrol)
  • 22499[documentation] Document reuse of language strings (dregad)
  • 22501[ui] Enhance layout of “View Issue Details” page (atrol)
  • 22505[ui] Enhance layout of “Updating Issue Information” (atrol)
  • 22506[attachments] Error updating project document (atrol)
  • 22507[ui] On Edit Filter page, ‘Filter name’ input field is too narrow (dregad)
  • 08957[custom fields] Date Selector for Custom Fields (syncguru)
  • 22423[html] ID attribute for bugnote_text (community)
  • 22541[localization] Enhance wording in manage_config_email_page.php and manage_config_work_threshold_page.php pages (atrol)
  • 22548[ui] Remove unnecessary ‘center’ class from textarea in bugnote edit page (community)
  • 22571[html] Add ID attribute for bugnote_text textarea (community)
  • 22572[documentation] Wrong default value in documentation of “g_show_version” (atrol)
  • 21552[ui] My account preferences: move project list outside the form (cproensa)
  • 22140[administration] Getting error dialog when reporting issues and file upload is disabled (cproensa)
  • 22543[ui] Open images in the browser rather than download them (vboctor)
  • 22582[relationships] Relationships box layout is not right for reporters (vboctor)
  • 22583[attachments] Open PDFs in the browser rather than downloading them (vboctor)
  • 04454[filters] 31 February ??? (syncguru)
  • 15276[custom fields] Custom field “Date” 31 days every month. (syncguru)
  • 21873[filters] Use datetime picker for date ranges in filter (syncguru)
  • 21874[time tracking] Use datetime picker for date ranges in time tracking (syncguru)
  • 22469[time tracking] Enabling Time Tracking distorts View Issue Details page layout. (syncguru)
  • 22473[plug-ins] Avatars should respect image aspect ratio (community)
  • 22585[timeline] Show timeline for specific user (cproensa)
  • 22590[ui] Broken javascript and missing footer in My View Page (cproensa)
  • 22593[plug-ins] Broken Snippet plugin (vboctor)
  • 22598[api rest] REST API Framework (vboctor)
  • 22599[code cleanup] Use composer to pull in dependencies (vboctor)
  • 22600[api rest] Enable plugins to publish their own REST APIs (vboctor)
  • 22601[api rest] Support using REST API from Web UI Javascript (vboctor)
  • 22602[api rest] Provide a sandbox for interacting with REST API using Swagger UI (vboctor)
  • 22617[code cleanup] Unneeded CSS file calendar-blue.css (atrol)
  • 22291[time tracking] Issue history box is narrower than other boxes above it on View Issue page (syncguru)

MantisBT 2.2.3

Security fixes and maintenance release

  • 22392[filters] Sorting all bugs list using a column header after applying a filter resets the filter (cproensa)
  • 22496[filters] Permalink does not work with “Note By” (cproensa)
  • 22566[filters] Filter error due to “view status” having an array value (cproensa)
  • 22555[filters] Regression in custom field sorting (cproensa)
  • 22613[security] CVE-2017-7309: XSS in adm_config_report.php (dregad)
  • 22615[security] CVE-2017-7241: XSS in move_attachments_page.php (dregad)
  • 22333[markdown] Markdown starts heading in the middle of a line (joel)
  • 22545[markdown] Markdown still converting ‘& amp;’ to & and ‘& lt;’ to < (dregad)

MantisBT 1.3.9

Security fixes and maintenance release

  • 22568[security] CVE-2017-7241: XSS in move_attachments_page.php (dregad)
  • 22579[security] CVE-2017-7309: XSS in adm_config_report.php (dregad)
  • 22063[db mssql] Installation on MSSQL fails at step 209 (dregad)
  • 22208[db mssql] File upload to MS-SQL not working (dregad)
Posted in MantisBT | Tagged | 1 Comment

MantisBT Security releases 1.3.8, 2.1.2 and 2.2.2

Maintenance releases including security fixes for Cross-Site Scripting (XSS) issues have just been released. We advise all installations to upgrade; releases can be downloaded from our website.

Patched vulnerabilities:

  • 22537: CVE-2017-6973 – XSS in adm_config_report.php (affects 1.3.0-rc.2 and later)

Additionally, version 2.1.1 also includes fixes previously released in 1.3.7 and 2.2.1:

  • 22486: CVE-2017-6797 – XSS in bug_change_status_page.php
  • 22497: CVE-2017-6799 – XSS in view_filters_page.php
Posted in MantisBT | Tagged , , | Leave a comment

MantisBT 2.2.1 and 1.3.7 Released

MantisBT 2.2.1 (changelog)

Maintenance release for 2.2 series including security fixes.  This release includes fixes in 1.3.7 as well.

22246: [markdown] Markdown is converting ‘&’ signs to (ampersand[amp;]) inside code block or backtick as well (joel)
22442: [printing] System error when opening Print reports (dregad)
22479: [administration] Can’t edit a project’s name changing only accents a on MySQL (dregad)
22497: [security] CVE-2017-6799 – XSS in view_filters_page.php (dregad)
22510: [installation] Attempting to connect to database as admin BAD despite valid userid and password (dregad)

MantisBT 1.3.7 (changelog)

Maintenance release for 1.3 series including security fixes.

22309: [documentation] Example of Regular expression on documentation not work on MantisBT (atrol)
22335: [documentation] Wrong documentation of $g_limit_email_domains in Admin Guide (atrol)
22355: [documentation] typo error for the email_receive_own parameter (atrol)
22486: [security] CVE-2017-6797: XSS in bug_change_status_page.php (dregad)
22503: [tools] Travis CI builds fail for PHP > 5.5 (dregad)

Go ahead and download the release from our website.

Posted in MantisBT | Tagged | Leave a comment

MantisBT 2.2.0 and 2.1.1 Released

MantisBT 2.1.1 (changelog)

A maintenance release for 2.1.x series including the fixes below:

22266: [security] Sanitize window title (vboctor)
22288: [bugtracker] Due date current value doesn’t show in change status form (syncguru)
22302: [filters] Permalink does not work with tags (cproensa)
22326: [time tracking] g_time_tracking_without_note has no effect (vboctor)
22347: [filters] Filter allows to sort on non sortable fields (cproensa)
22359: [ui] Enhance filter box UI (syncguru)
22369: [filters] Recently Modified box on View Issues page does not display closed issues (cproensa)
22355: [documentation] typo error for the email_receive_own parameter (atrol)
22335: [documentation] Wrong documentation of $g_limit_email_domains in Admin Guide (atrol)
22309: [documentation] Example of Regular expression on documentation not work on MantisBT (atrol)

MantisBT 2.2.0 (changelog)

A feature release that includes all fixes from 2.1.1 release listed above, some setup fixes, status colors visibility improvements, shed some unnecessary js/css and multiple improvements for relationships feature.

21724: [ui] Improve visibility of status colors (syncguru)
08313: [relationships] More work needs to move to Relationship APIs (vboctor)
16933: [relationships] Deleting relationship should set target bug’s last updated (vboctor)
21619: [code cleanup] Use constants instead of hardcoded values for filter view types (dregad)
21796: [ui] inline attachments should be directly visible (dregad)
21881: [javascript] Remove jquery-ui is not longer used in Modern UI (syncguru)
21897: [ui] Unaligned color coding of status (syncguru)
22256: [javascript] Unbundle JS libraris from Ace theme files (syncguru)
22273: [javascript] Enable CDN support for dropzone.js (syncguru)
22296: [code cleanup] Options in $g_public_config_names are not sorted (atrol)
22316: [code cleanup] Duplicate code to display the filter view type toggle menu item (dregad)
22360: [relationships] relationship_add() doesn’t return bug relationship information (vboctor)
22361: [relationships] Trigger notifications on related issues when an issue is deleted (vboctor)
22362: [relationships] Use bin icon instead of ‘delete’ button to delete relationships (vboctor)
22363: [relationships] Setting a duplicate id should update relationship with target issue if already exists (vboctor)
22400: [installation] Installer does not show “GOOD” status for DB connections (dregad)
22401: [installation] Installer displays horizontal blue line under “Checking installation” section header (dregad)

Go ahead and download the release from our website.

Posted in MantisBT | Tagged | 6 Comments