“MantisTouch was developed to provide mobility to MantisBT. As a web app, MantisTouch provides a mobile optimized user interface for iPhone, Android, and Windows Phone. MantisTouch uses web services to access the bugtracking data allowing it to be installed on the same or a different server than MantisBT.”

This release provides several fixes (see changelog) including the following.

• Localization support – see readme.md for how to contribute translations to your own locale.  Now MantisTouch supports English and Traditional Chinese.  Contributing your own translation should take less than half an hour.
• Use better font and smaller buttons.
• SSL – Retrieval of jQuery and jQueryMobile from CDNs conflicts with SSL.  MantisTouch now uses CDNs when http is used, otherwise, uses local copy.
• SSL – If MantisTouch is available on both http and https, redirect to https when http is used.
• Company Logo – Provide the ability to use company logo on the login page instead of MantisBT logo.
• Use mc_login() API introduced in MantisBT 1.2.12 to authenticate user and get retrieve necessary user information,
• Update jQuery to 1.9.1 and jQueryMobile to 1.3.1
• Improved Logging.

All MantisTouch v1.2.x users are encouraged to upgrade by downloading new package and copying over existing installation.  If your instance is running a version before v1.2.x, then checkout the v1.2.0 release post for upgrade instructions.

All users are encouraged to upgrade to latest MantisBT (currently 1.2.15) to get the best experience with MantisTouch.

The following security issues were resolved:

• Any malicious user could use the view issues page (search.php) to execute a filter that could bring down the site by overloading the database server (CVE-2013-1883). Affects MantisBT 1.2.12 and later.  Refer to issue #15573 for detailed information.
• A cross site scripting (XSS) vulnerability allowed execution of arbitrary JavaScript code when deleting a version. Affects MantisBT 1.2.14 and later. Refer to issue #15511 for detailed information.
• In some cases, the ‘Close’ button would be available to unauthorized users, allowing them to close issues at will, bypassing the workflow settings. Affects MantisBT 1.2.12 and later. Refer to issue #15453 for detailed information.

This release also includes several bug fixes and enhancements to the tracker and the SOAP api, as well as updated translations in many languages.

A full changelog for 1.2.15 can be found at here.  Go ahead and download it now.

Checkout Hosted MantisBT to be up and running in minutes.  For optimized access to MantisBT from iPhone, Android and Windows Phone checkout MantisTouch.

The following release notes are relative to 1.2.12 (rather than 1.2.13).

Four cross site scripting (XSS) vulnerability issues were discovered and resolved:

• A malicious person could trick a target user’s browser into executing arbitrary JavaScript code (CVE-2013-0197). This vulnerability is critical, due to the affected page (search.php) being usable anonymously on public-facing installations (i.e. without the need for a user login).  Affects MantisBT 1.2.12 only (earlier versions are not impacted).  Refer to issue #15373 for detailed information.
• A user holding manager/administrator permissions could create a category or project name containing JavaScript code; from that point on, visitors to (a) the Summary page (summary.php) as well as (b) the Configuration Report page (adm_config_report.php), are exposed to having the JavaScript execute within their browser environment. The severity of this issue is mitigated by the need to have a privileged account to modify category and project names. Issue (a) affects MantisBT version 1.2.12 and above, while (b) is on 1.2.13 only; earlier releases are not impacted.  Refer to issues #15384 (a) and #15415 (b) for detailed information.
• An administrator could enter a configuration option containing javascript code, which would then be executed when displaying the Configuration Report page (adm_config_report.php). The severity of this issue is mitigated by the need to have a privileged account. Affects all MantisBT 1.2.x versions.  Refer to issue #15416 for detailed information.

A workflow-related security issue was also fixed:

• A user with “Reporter” permissions can modify the workflow status of any issue to “New” even if they do not have the necessary privileges to make this change.  Refer to issue #15258 for detailed information.

In addition to the corrections for the above-mentioned security issues, this release also includes several bug fixes and enhancements:

• improved Manage Configuration page (better performance, ability to filter and edit config options)
• support for the built-in SOAP extension in addition to nusoap
• updated translations in many languages

A full changelog for 1.2.14 can be found at here.  Go ahead and download it now.

Checkout Hosted MantisBT to be up and running in minutes.  For optimized access to MantisBT from iPhone, Android and Windows Phone checkout MantisTouch.

MantisBT 1.2.13 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.

Two cross site scripting (XSS) vulnerability issues affecting MantisBT 1.2.12 only (earlier versions are not impacted) were discovered:

• CVE-2013-0197: a malicious person could trick the browser of a target user into executing arbitrary JavaScript code. This vulnerability is particularly wide-reaching due to the affected page (search.php) being usable anonymously on public-facing installations (i.e. no user login required).  Refer to issue #15373 for detailed information.
• CVE-2013-XXXX: A user holding manager/administrator permissions could create a category or project name containing JavaScript code; from that point on,  visitors to the Summary page (summary.php) are exposed to having the JavaScript execute within their browser environment. The severity of this issue is mitigated by the need to have a privileged account to modify category and project names.  Refer to issue #15384 for detailed information.

A workflow-related security issue was also fixed:

• CVE-2013-XXXX: a user with “Reporter” permissions can modify the workflow status of any issue to “New” even if they do not have the necessary privileges to make this change.  Refer to issue #15258 for detailed information.

In addition to the corrections for the above-mentioned security issues, this release also includes several bug fixes and enhancements:

• Improved Manage Configuration page (better performance, ability to filter and edit config options)
• Support for the built-in SOAP extension in addition to nusoap

A full changelog for 1.2.13 can be found at here.

Checkout Hosted MantisBT to be up and running in minutes.  For optimized access to MantisBT from iPhone, Android and Windows Phone checkout MantisTouch.

All installations that are currently running any 1.2.x or older version are advised to upgrade to this release.

A full changelog for 1.2.12 can be found at here.  Go ahead and download it now.

Checkout Hosted MantisBT to be up and running in minutes.  For optimized access to MantisBT from iPhone, Android and Windows Phone checkout MantisTouch.

“MantisTouch was developed to provide mobility to MantisBT. As a web app, MantisTouch provides a mobile optimized user interface for iPhone, Android, and Windows Phone. MantisTouch uses web services to access the bugtracking data allowing it to be installed on the same or a different server than MantisBT.”

This release provides several fixes (see changelog) in addition to supporting status colors on both view issues page, and issue detail page.

Status Colors Support

All MantisTouch v1.2.0 users are encouraged to upgrade by downloading new package and copying over existing installation.  If your instance is running a version before v1.2.0, then checkout the v1.2.0 release post for upgrade instructions.

“MantisTouch was developed to provide mobility to MantisBT. As a web app, MantisTouch provides a mobile optimized user interface for iPhone, Android, and Windows Phone. MantisTouch uses web services to access the bugtracking data allowing it to be installed on the same or a different server than MantisBT.”

This released is focused on simplifying the deployment of MantisTouch.  For a long time MantisBT has been known for its ability to run on any server with very little requirement. However, this was not the case for MantisTouch since it required setting up url re-writing to get Zend to work.  This release includes the following changes:

1. Drop the dependency on Zend and the requirement to have url re-writing setup.  This removes the pain point that complicated deployment.
2. Use latest version of jQuery (1.8.2) and jQueryMobile (1.2).  Use the CDN versions rather than distributing local copies.
3. The distribution zip file size was reduced from 6.5MB to 94KB.

Following are the steps to upgrade from previous versions:

1. Download the new release form the same location sent to you on purchase.
2. Rename MantisTouch folder (or whatever its name) to MantisTouch.x.
3. Create MantisTouch folder and extract the zip file into it.
4. Copy config_inc.sample.php to config_inc.php and edit the configs to match your environment.  Use config_defaults_inc.php as a reference.  Note that there is no more ini files to control configs.
5. Test that MantisTouch is working as expected.
6. Once the new version is working, you can backup / delete MantisTouch.x folder.

If you find any issues, please report them in the official bug tracker under project ‘MantisTouch’.  If you don’t have MantisTouch, you can get it from here.

• Emails landing in the recipient’s spam / junk folder
• Emails being rejected by the recipient’s email provider (these are lost).
• Emails being queued in MantisBT due to inability to connect or transfer messages to selected smtp server due to reaching daily quota limit (these are queued in MantisBT for future retries).

This release also contains numerous minor bug fixes to MantisBT,
SOAP API fixes, enhancements to the admin guide and improved translations in many
languages.

The SOAP API fixes also addresses the MantisTouch “login failure” error that was caused by php warnings in configuration that was surfaced in the SOAP API but not the web interface.

A full changelog for 1.2.11 can be found at here.  Go ahead and download it now.

Checkout Hosted MantisBT to be up and running in minutes.  For optimized access to MantisBT from iPhone, Android and Windows Phone checkout MantisTouch.

“MantisTouch was developed to provide mobility to MantisBT. As a web app, MantisTouch provides a mobile optimized user interface for iPhone, Android, and Windows Phone. MantisTouch uses web services to access the bugtracking data allowing it to be installed on the same or a different server than MantisBT.”

This released is focused on addressing some of the common issues found during deployment in some of the customer environments. These include the following:

1. ‘Invalid controller specified (error)’ is now fixed. Instead, MantisTouch will prompt the real issue that caused the need to look for the error controller

2. Improved README with some extra installation steps that were missing from the previous versions.

The most common deployment issues were:

1. Errors caused by MantisBT API on the MantisBT side – These are typically caused by PHP errors / warnings that show up in the API due to errors in config_inc.php, custom_strings_inc.php, etc. You can resolve these issues one by one as MantisTouch errors on them, or you can use the following settings in config_inc.php, to make MantisBT complain on such errors to fix existing ones and avoid having new ones get introduced due to future changes:

$g_display_errors = array(
E_WARNING => 'halt',
E_NOTICE => 'halt',
E_USER_ERROR => 'halt',
E_USER_WARNING => 'halt',
E_USER_NOTICE => 'halt'
);

$g_stop_on_errors = ON;
$g_show_detailed_errors = ON;


2. Errors when url re-writing is not enabled, causing Zend framework to fail routing of checkLogin – See Zend Framework guide for URL re-writing setup for IIS and Apache.

MantisTouch v1.x license owners can download this version for free via the same link issued on purchase.

Please report issues under the ‘MantisTouch’ project in the bugtracker, or provide feedback via the feedback buttons in MantisTouch itself.