MantisTouch 1.3.2 Released

A new release of MantisTouch has been published with following improvements.

  • Support for anonymous access
  • Fix bug related to accessing attachments
  • Allow users to signup.
  • Fixed time zone related error in some environments.

Requires installing the MantisTouchRedirect plugin to enable some of the fixes above to work properly.

All MantisTouch v1.2.0 users are encouraged to upgrade by downloading new package (from same link you got on purchase) and copying over existing installation.  For instances older than v1.2.0, checkout the v1.2.0 release post for upgrade instructions.

Posted in MantisTouch | Leave a comment

MantisBT 1.2.17 Released

MantisBT 1.2.17 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.

A SQL injection vulnerability (CVE-2014-2238) in adm_config_report.php was patched. Refer to issue #17055 for detailed information.

This release also includes a few bug fixes for the tracker, including News API correction for the regression issue #16940 introduced in 1.2.16, as well as updated translations in many languages.

See full changelog for more details and download from official site.

Posted in MantisBT | Leave a comment

MantisTouch 1.3.1 released

MantisTouch 1.3.1 released (see blog post).  The new release requires MantisBT v1.2.12 or above.  However, MantisBT v1.2.16 is highly recommended and will enable a bunch of extra features.

Posted in MantisBT, MantisTouch | Leave a comment

MantisBT 1.2.16 Released

MantisBT 1.2.16 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.

The following security issues were resolved:

  • Cross-site scripting (XSS) issue in account_sponsor_page.php, allowing a malicious user with project manager access to execute arbitrary JavaScript code (CVE-2013-4460). Affects MantisBT 1.1.0 and later.  Refer to issue #16513 for detailed information.
  • SQL injection attacks through the SOAP API’s mc_attachment_get() function (CVE-2014-1608). Affects MantisBT 1.1.0a4 and later.  Refer to issue #16879 for detailed information.
  • Additional cases of unsanitized SQL query parameters usage were identified, potentially allowing SQL injection attacks (CVE-2014-1609).  Refer to issue #16880 for detailed information.

This release also includes many bug fixes and enhancements to the tracker and the SOAP api, as well as updated translations in many languages.

See full changelog for more details and download from official site.

Posted in MantisBT | Leave a comment

MantisTouch v1.3.0 released

A new release of MantisTouch has just been published with custom fields support as the main feature.  This release is now available for download and is already integrated into the MantisHub service.

Here are some of the features included in this release.  For a full list, checkout the changelog.

  • Support for custom fields – It is now possible to edit and view custom fields via the report, edit and view pages.  All field types are supported with the exception of the ‘date’ type which is only supported on the view page.
  • Support auto-configuration of MantisTouch when installed in a sub-folder of MantisBT named ‘m’ – MantisTouch can now be setup by just copying the MantisTouch files on a sub-folder of MantisBT named ‘m’.
  • Support for deleting issues
  • Project name missing when viewing “all issues” or in the issue detail page – when ‘All Projects’ is selected, clarify the project for each issue on the view issues list or the page title of the view issue page.
  • Add French Localization – Thanks to contribution by Pierre-Olivier Vallee.

All MantisTouch v1.2.0 users are encouraged to upgrade by downloading new package and copying over existing installation.  If your instance is running a version before v1.2.0, then checkout the v1.2.0 release post for upgrade instructions.

Posted in MantisBT, MantisTouch | Leave a comment

Introducing MantisHub – MantisBT as a Service

MantisHub Logo

MantisBT has been known for being easy to setup across a variety of platforms due to it being a PHP app that is designed to reduce installation friction.  However, often users wanted a quicker way of getting started.  They didn’t want to worry about setting up a web server, installing MantisBT, managing it, doing backups, upgrades, and being on point to answer support questions.

As a first step, we offered one-click installs for MantisBT.  That helped customers to get started quicker, but they still had to worry about security patches, upgrades and support.

I’ve been working on making this better for a while, and I’m now happy to announce the launch of MantisHub.  MantisHub is for MantisBT what GitHub is for Git.  It is MantisBT as a service.  Allowing users to signup and be up and running in less then 1 minute.  They can then try MantisBT for a month and then decide whether they want to continue using it or not.  No credit card required until the end of the trial period.

MantisHub also offers MantisTouch for mobile access.  Allowing your users to get a mobile friendly interface when accessing your MantisBT instance from any modern phone.  Just visit http://yourinstance.mantishub.com/m/ to get the MantisTouch interface.  This is a $100 value.

Going forward, MantisHub will also replace the mantisbt.org shared demo instance.  Hence, allowing each user to trial the full MantisBT experience including administrative features in a dedicated instance.  Demo instances will be available for 30 days with no credit card requirement, and users will be able to upgrade them to a paid plan at the end of the trial.

Through running MantisHub service, the experience of running MantisBT at scale will provide good insights that I’m planning to translate into improvements to MantisBT core.  So go ahead, get a free trial and provide feedback!

Thanks,
-Victor

Posted in MantisBT, MantisTouch | Leave a comment

MantisTouch v1.2.3 Released

This MantisTouch release provides several fixes (see changelog) including the following.

  • Remove usage of short php tags which were causing issues in some environments.
  • Some strings were not localizable.
  • Fixes relating to handling of some unicode characters on some of the pages.
  • Provide more descriptive error messages for several failure scenarios.
  • Fix PHP error on issue report page.

All MantisTouch v1.2.x users are encouraged to upgrade by downloading new package and copying over existing installation.  If your instance is running a version before v1.2.x, then checkout the v1.2.0 release post for upgrade instructions.

All users are encouraged to upgrade to latest MantisBT (currently 1.2.15) to get the best experience with MantisTouch.

Posted in Uncategorized | Leave a comment

MantisTouch v1.2.2 Released

For those not familiar with MantisTouch:

“MantisTouch was developed to provide mobility to MantisBT. As a web app, MantisTouch provides a mobile optimized user interface for iPhone, Android, and Windows Phone. MantisTouch uses web services to access the bugtracking data allowing it to be installed on the same or a different server than MantisBT.”

This release provides several fixes (see changelog) including the following.

  • Localization support – see readme.md for how to contribute translations to your own locale.  Now MantisTouch supports English and Traditional Chinese.  Contributing your own translation should take less than half an hour.
  • Use better font and smaller buttons.
  • SSL – Retrieval of jQuery and jQueryMobile from CDNs conflicts with SSL.  MantisTouch now uses CDNs when http is used, otherwise, uses local copy.
  • SSL – If MantisTouch is available on both http and https, redirect to https when http is used.
  • Company Logo – Provide the ability to use company logo on the login page instead of MantisBT logo.
  • Use mc_login() API introduced in MantisBT 1.2.12 to authenticate user and get retrieve necessary user information,
  • Update jQuery to 1.9.1 and jQueryMobile to 1.3.1
  • Improved Logging.

All MantisTouch v1.2.x users are encouraged to upgrade by downloading new package and copying over existing installation.  If your instance is running a version before v1.2.x, then checkout the v1.2.0 release post for upgrade instructions.

All users are encouraged to upgrade to latest MantisBT (currently 1.2.15) to get the best experience with MantisTouch.

Posted in MantisBT, MantisTouch | Leave a comment

MantisBT 1.2.15 Released

MantisBT 1.2.15 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.

The following security issues were resolved:

  • Any malicious user could use the view issues page (search.php) to execute a filter that could bring down the site by overloading the database server (CVE-2013-1883). Affects MantisBT 1.2.12 and later.  Refer to issue #15573 for detailed information.
  • A cross site scripting (XSS) vulnerability allowed execution of arbitrary JavaScript code when deleting a version. Affects MantisBT 1.2.14 and later. Refer to issue #15511 for detailed information.
  • In some cases, the ‘Close’ button would be available to unauthorized users, allowing them to close issues at will, bypassing the workflow settings. Affects MantisBT 1.2.12 and later. Refer to issue #15453 for detailed information.

This release also includes several bug fixes and enhancements to the tracker and the SOAP api, as well as updated translations in many languages.

A full changelog for 1.2.15 can be found at here.  Go ahead and download it now.

Checkout Hosted MantisBT to be up and running in minutes.  For optimized access to MantisBT from iPhone, Android and Windows Phone checkout MantisTouch.

Posted in Uncategorized | Leave a comment

MantisBT 1.2.14 Released

MantisBT 1.2.14 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.

The following release notes are relative to 1.2.12 (rather than 1.2.13).

Four cross site scripting (XSS) vulnerability issues were discovered and resolved:

  • A malicious person could trick a target user’s browser into executing arbitrary JavaScript code (CVE-2013-0197). This vulnerability is critical, due to the affected page (search.php) being usable anonymously on public-facing installations (i.e. without the need for a user login).  Affects MantisBT 1.2.12 only (earlier versions are not impacted).  Refer to issue #15373 for detailed information.
  • A user holding manager/administrator permissions could create a category or project name containing JavaScript code; from that point on, visitors to (a) the Summary page (summary.php) as well as (b) the Configuration Report page (adm_config_report.php), are exposed to having the JavaScript execute within their browser environment. The severity of this issue is mitigated by the need to have a privileged account to modify category and project names. Issue (a) affects MantisBT version 1.2.12 and above, while (b) is on 1.2.13 only; earlier releases are not impacted.  Refer to issues #15384 (a) and #15415 (b) for detailed information.
  • An administrator could enter a configuration option containing javascript code, which would then be executed when displaying the Configuration Report page (adm_config_report.php). The severity of this issue is mitigated by the need to have a privileged account. Affects all MantisBT 1.2.x versions.  Refer to issue #15416 for detailed information.

A workflow-related security issue was also fixed:

  • A user with “Reporter” permissions can modify the workflow status of any issue to “New” even if they do not have the necessary privileges to make this change.  Refer to issue #15258 for detailed information.

In addition to the corrections for the above-mentioned security issues, this release also includes several bug fixes and enhancements:

  • improved Manage Configuration page (better performance, ability to filter and edit config options)
  • support for the built-in SOAP extension in addition to nusoap
  • updated translations in many languages

A full changelog for 1.2.14 can be found at here.  Go ahead and download it now.

Checkout Hosted MantisBT to be up and running in minutes.  For optimized access to MantisBT from iPhone, Android and Windows Phone checkout MantisTouch.

Posted in MantisBT | 1 Comment