Changesets: MantisBT

Search Browse Back to Index

master 5e5e5750

2014-12-28 01:29

dregad


Details Diff		 Install: disable step 4 (additional config info)

This fixes a security issue allowing an attacker to access the
installation script and obtain database access credentials.

Since the offending install step does not seem to be doing anything
useful, the corresponding code block has been commented out.

This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

Fixes 0017939		 Affected Issues
0017937, 0017939, 0019273
mod - admin/install.php Diff File

master-1.2.x 5571bcf9

2014-12-28 01:29

dregad


Details Diff		 Install: disable step 4 (additional config info)

This fixes a security issue allowing an attacker to access the
installation script and obtain database access credentials.

Since the offending install step does not seem to be doing anything
useful, the corresponding code block has been commented out.

This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

Fixes 0017939		 Affected Issues
0017937, 0017939
mod - admin/install.php Diff File

master 4867410f

2014-12-27 08:19

siebrand


Details Diff		 Localisation updates from https://translatewiki.net.
mod - lang/strings_belarusian_tarask.txt Diff File
mod - lang/strings_breton.txt Diff File
mod - lang/strings_chinese_simplified.txt Diff File
mod - lang/strings_croatian.txt Diff File
mod - lang/strings_dutch.txt Diff File
mod - lang/strings_finnish.txt Diff File
mod - lang/strings_french.txt Diff File
mod - lang/strings_german.txt Diff File
mod - lang/strings_greek.txt Diff File
mod - lang/strings_italian.txt Diff File
mod - lang/strings_macedonian.txt Diff File
mod - lang/strings_qqq.txt Diff File
mod - lang/strings_ripoarisch.txt Diff File
mod - lang/strings_russian.txt Diff File
mod - lang/strings_spanish.txt Diff File
mod - lang/strings_swedish.txt Diff File
mod - lang/strings_ukrainian.txt Diff File
mod - plugins/MantisCoreFormatting/lang/strings_dutch.txt Diff File
mod - plugins/MantisCoreFormatting/lang/strings_finnish.txt Diff File
mod - plugins/MantisCoreFormatting/lang/strings_greek.txt Diff File
mod - plugins/MantisCoreFormatting/lang/strings_qqq.txt Diff File
mod - plugins/MantisGraph/lang/strings_finnish.txt Diff File
mod - plugins/MantisGraph/lang/strings_qqq.txt Diff File
mod - plugins/XmlImportExport/lang/strings_breton.txt Diff File
mod - plugins/XmlImportExport/lang/strings_chinese_simplified.txt Diff File
mod - plugins/XmlImportExport/lang/strings_dutch.txt Diff File
mod - plugins/XmlImportExport/lang/strings_finnish.txt Diff File
mod - plugins/XmlImportExport/lang/strings_french.txt Diff File
mod - plugins/XmlImportExport/lang/strings_german.txt Diff File
mod - plugins/XmlImportExport/lang/strings_macedonian.txt Diff File
mod - plugins/XmlImportExport/lang/strings_portuguese_standard.txt Diff File
mod - plugins/XmlImportExport/lang/strings_russian.txt Diff File
mod - plugins/XmlImportExport/lang/strings_spanish.txt Diff File
mod - plugins/XmlImportExport/lang/strings_swedish.txt Diff File
mod - plugins/XmlImportExport/lang/strings_ukrainian.txt Diff File

master 132cd6d0

2014-12-27 07:47

dregad


Details Diff		 Fix XSS in install.php

This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

The parameters are now properly sanitized before being displayed.

Fixes 0017938		 Affected Issues
0017937, 0017938, 0019274
mod - admin/install.php Diff File

master-1.2.x 6d47c047

2014-12-27 07:47

dregad


Details Diff		 Fix XSS in install.php

This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

The parameters are now properly sanitized before being displayed.

Fixes 0017938		 Affected Issues
0017937, 0017938
mod - admin/install.php Diff File

master 7cc4539f

2014-12-27 07:34

dregad


Details Diff		 Fix SQL injection in manage_user_page.php

This vulnerability (CVE-2014-9573) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

To avoid injection, the parameters we get from the cookie are now
properly sanitized before being used in the SQL query.

Fixes 0017940		 Affected Issues
0017937, 0017940, 0019277
mod - manage_user_page.php Diff File

master-1.2.x 69c2d28d

2014-12-27 07:34

dregad


Details Diff		 Fix SQL injection in manage_user_page.php

This vulnerability (CVE-2014-9573) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

To avoid injection, the parameters we get from the cookie are now
properly sanitized before being used in the SQL query.

Fixes 0017940		 Affected Issues
0017937, 0017940
mod - manage_user_page.php Diff File

master d63d54aa

2014-12-27 07:09

dregad


Details Diff		 Changed version to '1.3.0-beta.2-dev' [skip ci]
mod - core/constant_inc.php Diff File

master 61887a6c

2014-12-23 21:34

Rafik Robeal


Details Diff		 Fix broken category menu in filter box
mod - core/filter_api.php Diff File

master fc66aa75

2014-12-23 20:57

Rafik Robeal


Details Diff		 Fix advanced filter view of the select menu
mod - css/ace-mantis.css Diff File

master 0a33bdfd

2014-12-23 01:25

dregad


Details Diff		 Refactor db_helper_compare_days()

1. Function renamed to db_helper_compare_time()
2. It now accepts 4 parameters, which have been reordered
- date 1
- an SQL operator to use for the comparison
- date 2
- the number of seconds to compare against
Note: the date parameters should only be strings (column names);
date constants should be passed as DB parameters
3. The comparison is rewritten based on sign of $p_num_secs to avoid
issues with unsigned integers on MySQL

Returns: date1 [operator] date2 + days

All occurences of the function in MantisBT code base have been updated
accordingly.

Fixes 0017980		 Affected Issues
0017980
mod - core/database_api.php Diff File
mod - core/news_api.php Diff File
mod - core/summary_api.php Diff File
mod - manage_user_page.php Diff File
mod - manage_user_prune.php Diff File

master 002a37b9

2014-12-22 20:57

Rafik Robeal


Details Diff		 Better align graph filter table header with content columns
mod - plugins/MantisGraph/pages/bug_graph_bycategory.php Diff File
mod - plugins/MantisGraph/pages/bug_graph_bystatus.php Diff File

master bfaa05af

2014-12-22 20:51

Rafik Robeal


Details Diff		 Style graph filter page and results view
mod - plugins/MantisGraph/core/Period.php Diff File
mod - plugins/MantisGraph/pages/bug_graph_bycategory.php Diff File
mod - plugins/MantisGraph/pages/bug_graph_bystatus.php Diff File
mod - plugins/MantisGraph/pages/bug_graph_page.php Diff File

master 0a1908b7

2014-12-22 19:45

Rafik Robeal


Details Diff		 Style delete filter page to look consistent with other delete pages
mod - query_delete_page.php Diff File

master 5ac64fb7

2014-12-22 19:20

Rafik Robeal


Details Diff		 Improve manage filters page
mod - query_view_page.php Diff File

master 35049837

2014-12-22 19:16

Rafik Robeal


Details Diff		 Merge branch 'master' of https://github.com/mantisbt/mantisbt into modern-ui-2
mod - core/gpc_api.php Diff File
mod - core/html_api.php Diff File

mantishub-1.3.x-20150418_1638 8813d5f1

2014-12-22 18:29

Victor Boctor


Details Diff		 Fix for manage_user_page time in the future (0017980)

Fixes 0017980

This is at least a temporary fix.
mod - admin/schema.php Diff File

mantishub-1.3.x-20150418_1638 fa2d9283

2014-12-21 20:59

Victor Boctor


Details Diff		 Merge remote-tracking branch 'upstream/master' into mantishub-1.3.x
mod - .mailmap Diff File
mod - account_prefs_update.php Diff File
mod - admin/check/check_i18n_inc.php Diff File
mod - admin/install.php Diff File
mod - admin/schema.php Diff File
mod - config_defaults_inc.php Diff File
mod - core.php Diff File
mod - core/date_api.php Diff File
mod - core/gpc_api.php Diff File
mod - core/html_api.php Diff File
mod - core/print_api.php Diff File
mod - docbook/Admin_Guide/en-US/config/timezone.xml Diff File
mod - scripts/travis_before_script.sh Diff File

master 1bb9acd0

2014-12-21 20:55

vboctor


Details Diff		 Hide 'Manage Global Profiles' menu when disabled

Fixes 0017978		 Affected Issues
0017978
mod - core/html_api.php Diff File

mantishub-1.3.x-20150418_1638 07eb2c05

2014-12-21 20:32

Victor Boctor


Details Diff		 Pickup Csv_import config page fix
mod - plugins/Csv_import Diff File

master 10a62f96

2014-12-21 15:57

Rafik Robeal


Details Diff		 Fix MantisGraph plugin config form action url
mod - plugins/MantisGraph/pages/config.php Diff File

master bcf176f5

2014-12-21 15:46

Rafik Robeal


Details Diff		 Fix markup in manage user edit page
mod - manage_user_edit_page.php Diff File

mantishub-1.3.x-20150418_1638 7e260de8

2014-12-21 13:18

Victor Boctor


Details Diff		 Re-add Csv-import from MantisHub organization
add - plugins/Csv_import Diff File

mantishub-1.3.x-20150418_1638 ddb5c926

2014-12-21 13:15

Victor Boctor


Details Diff		 Remove csv import plugin from mantisbt-plugins organization
mod - .gitmodules Diff File
rm - plugins/Csv_import Diff

master 61c8548c

2014-12-21 06:46

dregad


Details Diff		 Fix system warning in gpc_get_string_array()

The fix for issue 0017640 did not consider that the value returned by
gpc_get() is not necessarily an array - it can be the default value
(e.g. null) causing PHP to throw an 'Invalid argument supplied for
foreach()' warning.

Fixes 0017967 (ported from 1.2.x)		 Affected Issues
0017640, 0017967
mod - core/gpc_api.php Diff File
 First  Prev  1 2 3 ... 70 ... 140 ... 210 ... 271 272 273 274 275 276 277 ... 280 ... 350 ... 420 ... 490 ... 560 ... 630 ... 700 ... 746 747 748  Next  Last