Mantis

Evaluating a PHPMailer Vulnerability - 2007-07-15 22:13 - thraxisp

A report was submitted to the Mantis team this week describing a vulnerability in the PHPMailer class. This class is used by Mantis to send notification emails for issue updates.

The exploit takes advantage of a hole in how PHP implements the internal interface to the sendmail MTA. The setting for the sender address can be used to gain access to system resources. This exploit is described in http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/ [^] and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215 [^] .

After reviewing the Mantis code, we determined that this vulnerability does not affect the operation of the tool. We read the sender address from configuration data. To use this exploit, someone would require administrator level access and/or direct access to the database. The probability of exploit is very low. A small patch will be added in the next release to prevent the problem completely.

In general, we recommend using the SMTP mode, rather than sendmail, rather than the local sendmail implementation. Most platforms, (Windows, especially), have problems with the internal PHP implementation of the sendmail. The PHPMailer implementation of SMTP is more robust and slightly faster.

Mantis Job Board Launched - 2007-07-07 04:17 - vboctor

The Mantis Job Board ( http://mantisbt.edgeio.net/ [^] ) allows the Mantis community to post their open positions on the Mantis website. This gives access to a huge community of developers, IT administrators, project managers, QA engineers and others. There is no limit with regards to the kind of jobs to be posted: part time, full time, consulting, contracting, etc. The jobs can but do not have to be Mantis related.

The cost for posting a job is $30/month. That is $1 per day. So get a good value to market your open position and at the same time support the Mantis development effort.

Mantis Users Directory reached 500 entries - 2007-07-05 15:23 - vboctor

Mantis Users Directory ( http://www.mantisbt.org/directory.php [^] ) now has 500 registered companies and projects. Although it is a nice milestone for the directory, it is a very small fraction of the users out there. If your company or project is not registered yet, then go the users directory page and click Submit. While submitting you can also provide a comment or testimonial as the ones shown at http://www.mantisbt.org/testimonials.php [^]

InstantMantis 1.0.8 Released - 2007-07-04 01:18 - vboctor

An updated version of InstantMantis is now available for download from SourceForge. For more details about InstantMantis and how to download it, see the following page on the Wiki:

http://www.mantisbt.org/wiki/doku.php/mantisbt:instantmantis [^]

Mantis Integration with Twitter - 2007-07-02 04:54 - vboctor

Mantis now has a twitter account ( http://twitter.com/mantisbt [^] ) which will be used to publish updates relating to what is happening with Mantis. I've just updated the official bug tracker with the latest code from CVS which also integrates the ability for the bug tracker to automatically update a nominated twitter account with resolved bugs.

In addition to the ones posted by the bug tracker, I'll try to get into the habit of manual posting entries that may be interesting for the Mantis audience.

So go ahead and add 'mantisbt' twitter account as your friend in twitter.

Mantis 1.0.8 Released - 2007-06-30 18:36 - vboctor

Mantis 1.0.8 is a maintenance release for the 1.0.x stable releases branch. This release was mainly focused on fixing an application error that caused users to sometimes get a blank screen and some minor fixes that were requested by packagers for Linux distributions. It is a recommended updated for all 1.0.x users.

Mantis Logo - 2007-05-21 04:04 - vboctor

We have been working for sometime on settling on a Mantis Logo and I think we are getting there (see http://www.mantisbt.org/logo/ [^] ). The one we are currently using is more interesting than the previous one. However, we don't have the vector graphics for it and it is not very easy to work with for all variants of the logos that are needed (e.g. favicon, etc). Due to not being rectangular, it can sometime take more space that I would like.

I've created an issue ( http://www.mantisbt.org/bugs/view.php?id=7994 [^] ) to track the work in choosing the logo and to get feedback from Mantis users so that we can come up with a great Mantis logo.