Securing Mantis

Any Mantis users out there running older versions should consider upgrading immediately. Recently crackers have been using an exploit in pre-1.1.4 versions of Mantis to execute arbitrary code via a sort parameter. The exploit attempts to execute a call to create_function from manage_proj_page.php.

See the CVE on Mitre and details in the Mantis forums.

It would appear that this exploit is used to create a cron under the username of the web server. When fired, the cron generates a new “mc-root” directory within the Mantis tree which would appear to contain some kind of root kit or similar.

In addition to upgrading, I recommend adding the following to your Mantis conf_inc.php if you do not run an open-access Mantis system:

#############################
# Signup and Lost Password
#############################


# --- signup ----------------------


# allow users to signup for their own accounts.
# Mail settings must be correctly configured to work
$g_allow_signup = OFF;


# Max. attempts to login using a wrong password before
# lock the account.
#
# When locked, it's required to reset the password
# (lost password)
# Value resets to zero at each successfully login
# Set to OFF to disable this control
$g_max_failed_login_count = 3;

Mantis 1.1.0 Released

I’m a big fan of the Mantis Issue Tracker, an open source project in PHP.  Have been using for years. Version 1.1.0 was finally released this last week and includes some very nice usability improvements.

The new time tracking system, though simple, should actually be quite powerful. “Out of box” inclusion of MantisConnect will also be of interest to anyone wanting tighter integration with external applications or their favorite IDE.

Mantis State Plugin

For the longest time now I’ve wanted a view in Mantis that could show me, at a glance, what’s receiving attention and what’s falling through the cracks.

Vincent Debout has recently released an excellent plugin manager for Mantis; so I’ve attempted to whip something up. The Mantis State plugin contains a matrix view listing out issues in left-to-right, top-to-bottom in order of last update. Font size indicates priority. Blinking issues are severe.

Right now this probably works well for smaller projects, but could get difficult to view with a large number of issues. Would be nice if Mantis’ current filtering system could plug into this.

mantis-state-sample.png

You can see from this sample view that one of our projects has a number of items reported sometime back that are not getting looked at. Oops.

If you’d like to test it out, feel free to download an early alpha version here: Mantis State

Includes some simple Japanese localization.

Update: Recieved a request last week to update the broken uninstaller.  Link above updated as of September 2008.