MantisTouch v1.2.2 Released

Posted on May 17, 2013 by vboctor

For those not familiar with MantisTouch:

“MantisTouch was developed to provide mobility to MantisBT. As a web app, MantisTouch provides a mobile optimized user interface for iPhone, Android, and Windows Phone. MantisTouch uses web services to access the bugtracking data allowing it to be installed on the same or a different server than MantisBT.”

This release provides several fixes (see changelog) including the following.

  • Localization support – see readme.md for how to contribute translations to your own locale.  Now MantisTouch supports English and Traditional Chinese.  Contributing your own translation should take less than half an hour.
  • Use better font and smaller buttons.
  • SSL – Retrieval of jQuery and jQueryMobile from CDNs conflicts with SSL.  MantisTouch now uses CDNs when http is used, otherwise, uses local copy.
  • SSL – If MantisTouch is available on both http and https, redirect to https when http is used.
  • Company Logo – Provide the ability to use company logo on the login page instead of MantisBT logo.
  • Use mc_login() API introduced in MantisBT 1.2.12 to authenticate user and get retrieve necessary user information,
  • Update jQuery to 1.9.1 and jQueryMobile to 1.3.1
  • Improved Logging.

All MantisTouch v1.2.x users are encouraged to upgrade by downloading new package and copying over existing installation.  If your instance is running a version before v1.2.x, then checkout the v1.2.0 release post for upgrade instructions.

All users are encouraged to upgrade to latest MantisBT (currently 1.2.15) to get the best experience with MantisTouch.

Posted in MantisBT, MantisTouch | Leave a comment

MantisBT 1.2.15 Released

Posted on April 14, 2013 by vboctor

MantisBT 1.2.15 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.

The following security issues were resolved:

  • Any malicious user could use the view issues page (search.php) to execute a filter that could bring down the site by overloading the database server (CVE-2013-1883). Affects MantisBT 1.2.12 and later.  Refer to issue #15573 for detailed information.
  • A cross site scripting (XSS) vulnerability allowed execution of arbitrary JavaScript code when deleting a version. Affects MantisBT 1.2.14 and later. Refer to issue #15511 for detailed information.
  • In some cases, the ‘Close’ button would be available to unauthorized users, allowing them to close issues at will, bypassing the workflow settings. Affects MantisBT 1.2.12 and later. Refer to issue #15453 for detailed information.

This release also includes several bug fixes and enhancements to the tracker and the SOAP api, as well as updated translations in many languages.

A full changelog for 1.2.15 can be found at here.  Go ahead and download it now.

Checkout Hosted MantisBT to be up and running in minutes.  For optimized access to MantisBT from iPhone, Android and Windows Phone checkout MantisTouch.

Posted in Uncategorized | Leave a comment

MantisBT 1.2.14 Released

Posted on January 30, 2013 by vboctor

MantisBT 1.2.14 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.

The following release notes are relative to 1.2.12 (rather than 1.2.13).

Four cross site scripting (XSS) vulnerability issues were discovered and resolved:

  • A malicious person could trick a target user’s browser into executing arbitrary JavaScript code (CVE-2013-0197). This vulnerability is critical, due to the affected page (search.php) being usable anonymously on public-facing installations (i.e. without the need for a user login).  Affects MantisBT 1.2.12 only (earlier versions are not impacted).  Refer to issue #15373 for detailed information.
  • A user holding manager/administrator permissions could create a category or project name containing JavaScript code; from that point on, visitors to (a) the Summary page (summary.php) as well as (b) the Configuration Report page (adm_config_report.php), are exposed to having the JavaScript execute within their browser environment. The severity of this issue is mitigated by the need to have a privileged account to modify category and project names. Issue (a) affects MantisBT version 1.2.12 and above, while (b) is on 1.2.13 only; earlier releases are not impacted.  Refer to issues #15384 (a) and #15415 (b) for detailed information.
  • An administrator could enter a configuration option containing javascript code, which would then be executed when displaying the Configuration Report page (adm_config_report.php). The severity of this issue is mitigated by the need to have a privileged account. Affects all MantisBT 1.2.x versions.  Refer to issue #15416 for detailed information.

A workflow-related security issue was also fixed:

  • A user with “Reporter” permissions can modify the workflow status of any issue to “New” even if they do not have the necessary privileges to make this change.  Refer to issue #15258 for detailed information.

In addition to the corrections for the above-mentioned security issues, this release also includes several bug fixes and enhancements:

  • improved Manage Configuration page (better performance, ability to filter and edit config options)
  • support for the built-in SOAP extension in addition to nusoap
  • updated translations in many languages

A full changelog for 1.2.14 can be found at here.  Go ahead and download it now.

Checkout Hosted MantisBT to be up and running in minutes.  For optimized access to MantisBT from iPhone, Android and Windows Phone checkout MantisTouch.

Posted in MantisBT | 1 Comment

MantisBT 1.2.13 Released

Posted on January 23, 2013 by vboctor

Update – this release was pulled out shortly after release since we figured an introduced bug where the View Issues page consumes significantly more memory for instances with large numbers of users (order 10k+).  We are planning to release 1.2.14 shortly.

MantisBT 1.2.13 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.

Two cross site scripting (XSS) vulnerability issues affecting MantisBT 1.2.12 only (earlier versions are not impacted) were discovered:

  • CVE-2013-0197: a malicious person could trick the browser of a target user into executing arbitrary JavaScript code. This vulnerability is particularly wide-reaching due to the affected page (search.php) being usable anonymously on public-facing installations (i.e. no user login required).  Refer to issue #15373 for detailed information.
  • CVE-2013-XXXX: A user holding manager/administrator permissions could create a category or project name containing JavaScript code; from that point on,  visitors to the Summary page (summary.php) are exposed to having the JavaScript execute within their browser environment. The severity of this issue is mitigated by the need to have a privileged account to modify category and project names.  Refer to issue #15384 for detailed information.

A workflow-related security issue was also fixed:

  • CVE-2013-XXXX: a user with “Reporter” permissions can modify the workflow status of any issue to “New” even if they do not have the necessary privileges to make this change.  Refer to issue #15258 for detailed information.

In addition to the corrections for the above-mentioned security issues, this release also includes several bug fixes and enhancements:

  • Improved Manage Configuration page (better performance, ability to filter and edit config options)
  • Support for the built-in SOAP extension in addition to nusoap

A full changelog for 1.2.13 can be found at here.

Checkout Hosted MantisBT to be up and running in minutes.  For optimized access to MantisBT from iPhone, Android and Windows Phone checkout MantisTouch.

Posted in MantisBT | 1 Comment

MantisBT 1.2.12 Released

Posted on November 12, 2012 by vboctor

MantisBT 1.2.12 is a maintenance update for the stable 1.2.x branch that resolves over 70 issues mainly in the following categories: security, MS SQL and PostgreSQL database support, change log page, custom fields, installation, attachments, SOAP API (including MantisTouch related fixes), XML import/export plugin, email (including update of phpMailer to v5.2.1) and others.

All installations that are currently running any 1.2.x or older version are advised to upgrade to this release.

A full changelog for 1.2.12 can be found at here.  Go ahead and download it now.

Checkout Hosted MantisBT to be up and running in minutes.  For optimized access to MantisBT from iPhone, Android and Windows Phone checkout MantisTouch.

Posted in MantisBT, MantisTouch | Leave a comment

MantisTouch v1.2.1 released

Posted on October 29, 2012 by vboctor

For those not familiar with MantisTouch:

“MantisTouch was developed to provide mobility to MantisBT. As a web app, MantisTouch provides a mobile optimized user interface for iPhone, Android, and Windows Phone. MantisTouch uses web services to access the bugtracking data allowing it to be installed on the same or a different server than MantisBT.”

This release provides several fixes (see changelog) in addition to supporting status colors on both view issues page, and issue detail page.

MantisTouch Issues Page

Status Colors Support

All MantisTouch v1.2.0 users are encouraged to upgrade by downloading new package and copying over existing installation.  If your instance is running a version before v1.2.0, then checkout the v1.2.0 release post for upgrade instructions.

Posted in MantisBT, MantisTouch | Leave a comment

MantisTouch v1.2.0 released

Posted on October 16, 2012 by vboctor

For those not familiar with MantisTouch:

“MantisTouch was developed to provide mobility to MantisBT. As a web app, MantisTouch provides a mobile optimized user interface for iPhone, Android, and Windows Phone. MantisTouch uses web services to access the bugtracking data allowing it to be installed on the same or a different server than MantisBT.”

This released is focused on simplifying the deployment of MantisTouch.  For a long time MantisBT has been known for its ability to run on any server with very little requirement. However, this was not the case for MantisTouch since it required setting up url re-writing to get Zend to work.  This release includes the following changes:

  1. Drop the dependency on Zend and the requirement to have url re-writing setup.  This removes the pain point that complicated deployment.
  2. Use latest version of jQuery (1.8.2) and jQueryMobile (1.2).  Use the CDN versions rather than distributing local copies.
  3. The distribution zip file size was reduced from 6.5MB to 94KB.

Following are the steps to upgrade from previous versions:

  1. Download the new release form the same location sent to you on purchase.
  2. Rename MantisTouch folder (or whatever its name) to MantisTouch.x.
  3. Create MantisTouch folder and extract the zip file into it.
  4. Copy config_inc.sample.php to config_inc.php and edit the configs to match your environment.  Use config_defaults_inc.php as a reference.  Note that there is no more ini files to control configs.
  5. Test that MantisTouch is working as expected.
  6. Once the new version is working, you can backup / delete MantisTouch.x folder.

If you find any issues, please report them in the official bug tracker under project ‘MantisTouch’.  If you don’t have MantisTouch, you can get it from here.

Posted in Uncategorized | Leave a comment

Deliverability of emails sent from MantisBT

Posted on July 1, 2012 by vboctor

It is common for MantisBT admins to report that they are having issues with users not receiving emails sent out by MantisBT.  There are several reasons for this to happen:

  • Emails landing in the recipient’s spam / junk folder
  • Emails being rejected by the recipient’s email provider (these are lost).
  • Emails being queued in MantisBT due to inability to connect or transfer messages to selected smtp server due to reaching daily quota limit (these are queued in MantisBT for future retries).
The rejection or placement into spam is typically driven by one of the following reasons:
  • Using an IP with a bad reputation – common in case of shared hosting, hacked servers, IP recycling, etc.  These IPs end up in black lists that are checked by SMTP servers before accepting emails from clients.
  • Emails looking like they are spoofed – if emails are sent from a server that can’t be related back to the domain the emails are sent from.
  • The contents of the email – this is typically not the issue in case of MantisBT emails.
The queuing of emails on the MantisBT due to inability to hand the emails over to the smtp provider is typically due to the following reasons:
  • Using an IP with bad reputation – Most smtp servers will reject a connection if the IP is in some black list before even starting communication with the client.
  • Hitting the daily quota – If an account sends too many emails, then servers would start treating it as a spammer or a user who is using this account for mass emailing which is typically not covered by the service agreement that is provided by services like gmail, hotmail, office 365, etc.  This problem will look intermittent, since the limits are reset every day and hence emails will work for part of the day, then stop working and queue for the next day, etc.
In fact, we have hit a lot of these issues ourselves, and lately were hit with the quota case.  Hence, we’ve decided to use a service that would take over the email deliverability for us, replace quota limits with pay as you go, manage IP reputation, provide reporting, and so on. This removes the headache out of this process and provide piece of mind that communication to users is reliable and predictable rather than having customers turned away because they registered and never got a confirmation email to activate their account.  The cost of such service is based on the number of emails that are sent, hence, for most MantisBT instances, it should be low and well worth it.
We encourage you to try this out for free with a 1000 emails to get you started.  Note that this setup providers you with an smtp server, account, and password that you can use with MantisBT, your forums, blogs, email clients, etc.  In other words, you can use it for all your web apps and email marketing tools.
Posted in MantisBT | Leave a comment

MantisBT 1.2.11 Released

Posted on June 9, 2012 by vboctor

MantisBT 1.2.11 is a security update for the stable 1.2.x branch. All
installations that are currently running any 1.2.x or older version are
advised to upgrade to this release.

This release also contains numerous minor bug fixes to MantisBT,
SOAP API fixes, enhancements to the admin guide and improved translations in many
languages.

The SOAP API fixes also addresses the MantisTouch “login failure” error that was caused by php warnings in configuration that was surfaced in the SOAP API but not the web interface.

A full changelog for 1.2.11 can be found at here.  Go ahead and download it now.

Checkout Hosted MantisBT to be up and running in minutes.  For optimized access to MantisBT from iPhone, Android and Windows Phone checkout MantisTouch.

Posted in MantisBT, MantisTouch | 1 Comment

MantisTouch 1.1.2 Released

Posted on May 10, 2012 by vboctor

For those not familiar with MantisTouch:

“MantisTouch was developed to provide mobility to MantisBT. As a web app, MantisTouch provides a mobile optimized user interface for iPhone, Android, and Windows Phone. MantisTouch uses web services to access the bugtracking data allowing it to be installed on the same or a different server than MantisBT.”

This released is focused on addressing some of the common issues found during deployment in some of the customer environments. These include the following:

1. ‘Invalid controller specified (error)’ is now fixed. Instead, MantisTouch will prompt the real issue that caused the need to look for the error controller :)

2. Improved README with some extra installation steps that were missing from the previous versions.

The most common deployment issues were:

1. Errors caused by MantisBT API on the MantisBT side – These are typically caused by PHP errors / warnings that show up in the API due to errors in config_inc.php, custom_strings_inc.php, etc. You can resolve these issues one by one as MantisTouch errors on them, or you can use the following settings in config_inc.php, to make MantisBT complain on such errors to fix existing ones and avoid having new ones get introduced due to future changes:

$g_display_errors = array(
E_WARNING => 'halt',
E_NOTICE => 'halt',
E_USER_ERROR => 'halt',
E_USER_WARNING => 'halt',
E_USER_NOTICE => 'halt'
);

$g_stop_on_errors = ON;
$g_show_detailed_errors = ON;

2. Errors when url re-writing is not enabled, causing Zend framework to fail routing of checkLogin – See Zend Framework guide for URL re-writing setup for IIS and Apache.

MantisTouch v1.x license owners can download this version for free via the same link issued on purchase.

Please report issues under the ‘MantisTouch’ project in the bugtracker, or provide feedback via the feedback buttons in MantisTouch itself.

Posted in MantisBT, MantisTouch | Leave a comment