Critical Security Fix Releases: 2.3.1, 2.2.4, and 1.3.10

This is the release announcement for releases including the fixes for a critical security issue (#22690 for CVE-2017-7615), allowing a remote attacker to reset any user’s password, on all MantisBT instances where user signup or password reset are enabled, via a vulnerability in the Account verification page (verify.php).

MantisBT since 1.3.0-rc.2 (included) is affected, as well as all 2.x releases. The issue will be fixed in versions 1.3.10, 2.2.4, and 2.3.1, to be released soon.

This issue has been fixed in release 1.3.10, 2.2.4, and 2.3.1 that we just published.

Due to the nature and criticality of the bug, we sent last night an advance notification to users that are registered on our bug tracker, providing the following patch that can mitigate the issue.  If for any reason you can’t upgrade, go ahead and use the one line change below to patch your MantisBT instance.

Locate the if statement (at line 72 in 2.0.0-beta.3 and later, line 66 in older versions):

if( $f_confirm_hash != $t_token_confirm_hash ) {

change it to

if( $t_token_confirm_hash == null || $f_confirm_hash !== $t_token_confirm_hash ) {

You are strongly advised to patch your systems immediately.

We would like to take this opportunity to thank John Page aka hyp3rlinx from ApparitionSec (http://hyp3rlinx.altervista.org) for discovering, responsibly reporting and working with us towards resolution of this vulnerability.

Thanks,
-MantisBT Team

MantisBT 2.3.0, 2.2.3, and 1.3.9 released

MantisBT 2.3.0

Feature release including security fixes and our brand new experimental REST API.  The REST API can be extended by plugins and power web UI ajax features.  In this release the REST API is disabled by default (expect for calls from within the web UI using cookie authentication) – see 22598 for more details.

  • 22445[ui] Manage users page does not show filters ‘0’-‘9’ as selected (atrol)
  • 22474[administration] “Obsolete configuration” warnings when running admin checks (atrol)
  • 22499[documentation] Document reuse of language strings (dregad)
  • 22501[ui] Enhance layout of “View Issue Details” page (atrol)
  • 22505[ui] Enhance layout of “Updating Issue Information” (atrol)
  • 22506[attachments] Error updating project document (atrol)
  • 22507[ui] On Edit Filter page, ‘Filter name’ input field is too narrow (dregad)
  • 08957[custom fields] Date Selector for Custom Fields (syncguru)
  • 22423[html] ID attribute for bugnote_text (community)
  • 22541[localization] Enhance wording in manage_config_email_page.php and manage_config_work_threshold_page.php pages (atrol)
  • 22548[ui] Remove unnecessary ‘center’ class from textarea in bugnote edit page (community)
  • 22571[html] Add ID attribute for bugnote_text textarea (community)
  • 22572[documentation] Wrong default value in documentation of “g_show_version” (atrol)
  • 21552[ui] My account preferences: move project list outside the form (cproensa)
  • 22140[administration] Getting error dialog when reporting issues and file upload is disabled (cproensa)
  • 22543[ui] Open images in the browser rather than download them (vboctor)
  • 22582[relationships] Relationships box layout is not right for reporters (vboctor)
  • 22583[attachments] Open PDFs in the browser rather than downloading them (vboctor)
  • 04454[filters] 31 February ??? (syncguru)
  • 15276[custom fields] Custom field “Date” 31 days every month. (syncguru)
  • 21873[filters] Use datetime picker for date ranges in filter (syncguru)
  • 21874[time tracking] Use datetime picker for date ranges in time tracking (syncguru)
  • 22469[time tracking] Enabling Time Tracking distorts View Issue Details page layout. (syncguru)
  • 22473[plug-ins] Avatars should respect image aspect ratio (community)
  • 22585[timeline] Show timeline for specific user (cproensa)
  • 22590[ui] Broken javascript and missing footer in My View Page (cproensa)
  • 22593[plug-ins] Broken Snippet plugin (vboctor)
  • 22598[api rest] REST API Framework (vboctor)
  • 22599[code cleanup] Use composer to pull in dependencies (vboctor)
  • 22600[api rest] Enable plugins to publish their own REST APIs (vboctor)
  • 22601[api rest] Support using REST API from Web UI Javascript (vboctor)
  • 22602[api rest] Provide a sandbox for interacting with REST API using Swagger UI (vboctor)
  • 22617[code cleanup] Unneeded CSS file calendar-blue.css (atrol)
  • 22291[time tracking] Issue history box is narrower than other boxes above it on View Issue page (syncguru)

MantisBT 2.2.3

Security fixes and maintenance release

  • 22392[filters] Sorting all bugs list using a column header after applying a filter resets the filter (cproensa)
  • 22496[filters] Permalink does not work with “Note By” (cproensa)
  • 22566[filters] Filter error due to “view status” having an array value (cproensa)
  • 22555[filters] Regression in custom field sorting (cproensa)
  • 22613[security] CVE-2017-7309: XSS in adm_config_report.php (dregad)
  • 22615[security] CVE-2017-7241: XSS in move_attachments_page.php (dregad)
  • 22333[markdown] Markdown starts heading in the middle of a line (joel)
  • 22545[markdown] Markdown still converting ‘& amp;’ to & and ‘& lt;’ to < (dregad)

MantisBT 1.3.9

Security fixes and maintenance release

  • 22568[security] CVE-2017-7241: XSS in move_attachments_page.php (dregad)
  • 22579[security] CVE-2017-7309: XSS in adm_config_report.php (dregad)
  • 22063[db mssql] Installation on MSSQL fails at step 209 (dregad)
  • 22208[db mssql] File upload to MS-SQL not working (dregad)

MantisBT Security releases 1.3.8, 2.1.2 and 2.2.2

Maintenance releases including security fixes for Cross-Site Scripting (XSS) issues have just been released. We advise all installations to upgrade; releases can be downloaded from our website.

Patched vulnerabilities:

  • 22537: CVE-2017-6973 – XSS in adm_config_report.php (affects 1.3.0-rc.2 and later)

Additionally, version 2.1.1 also includes fixes previously released in 1.3.7 and 2.2.1:

  • 22486: CVE-2017-6797 – XSS in bug_change_status_page.php
  • 22497: CVE-2017-6799 – XSS in view_filters_page.php