ArcticDesk v1.2.5 Maintenance Release

We are pleased to announce the stable release of ArcticDesk v1.2.5. The latest maintenance release for the 1.2.x series brings many bug fixes and useful enhancements. The release also addresses some important security issues as outlined below, and thus we recommend to upgrade as soon as possible. The full changelog can be found at the end of this announcement.

Security Fixes

Case: AD-751
Type: Path traversal exploit
Severity: Important
Credit: Patrick at Rack911.net
Description:
By following a carefully crafted URL, it is possible to access local files on the server and view sensitive information.

Case: AD-750
Type: Non-persistent XSS attack
Severity: Medium
Credit: Wong Chieh Yie (@wcypierrenet)
Description:
Using a carefully crafted link, it is possible to perform a cross-site scripting (XSS) attack through the frontend interface. 

Case: AD-753
Type: Blind SQL injection
Severity: Medium
Credit: Wong Chieh Yie (@wcypierrenet)
Description:
By following a carefully crafted URL in the admin interface, it is possible to ask the database true or false questions and determine the answer based on the response.

Changelog

New Features
(AD-602) - Added option to delete attachments
(AD-670) - Added the ticket reply options box to the open new ticket page
(AD-687) - Added option to allow only logged in users to open a ticket
(AD-694) - Added ability to disable user registration
(AD-735) - Added Chrome notifications

Enhancements
(AD-523) - Email piping and download now checks all the email addresses in the header (TO, CC, BCC) to see if one of them is a department email
(AD-623) - Added operator panel error messages for when SMTP is misconfigured or was unable to send an email
(AD-667) - Added option to consume all tickets in email download inbox rather than checking TO address
(AD-695) - Added a check to ensure the uploads directory is writeable when changing it
(AD-700) - The to-do widget now makes use of AJAX
(AD-707) - Now stores the full email in the email log, before any clipping
(AD-715) - The entire row in the ticket grid is now clickable for selecting
(AD-721) - When the user name is unknown for an email ticket, now uses their email address
(AD-728) - Applied word-wrap on ticket replies to avoid UI issues when long strings used.
(AD-731) - Now require ticket attachments to complete uploading before a reply can be posted

Bug Fixes
(AD-616) - Fixed blank page on ticket submission when SMTP is misconfigured
(AD-682) - Fixed issue with delete download button
(AD-684) - Tickets API: Status and Priority now allow multiple values again
(AD-685) - Added specific error when trying to add a sub user that is already a sub user themselves
(AD-688) - Fixed issue where the include operator name in ticket email option incorrectly added the user name
(AD-689) - Fixed issue that stopped email addresses being added to departments that currently have none
(AD-690) - Fixed issue where some file attachments had their file size appended to the file when downloaded
(AD-691) - Fixed issue where PHPMailer clashes if already installed on the server
(AD-692) - Fixed issue where in some cases POP emails would not successfully delete from the server
(AD-697) - Fixed the to-do widget on the dashboard
(AD-698) - Fixed issue that stopped the IP address being recorded on new frontend tickets
(AD-699) - Fixed issue where the send reply button appeared under add note under certain conditions
(AD-701) - Fixed issue that stopped the ticket grid refresh interval saving
(AD-702) - Can now use "&" in passwords without any issue
(AD-703) - Fixed issue where email notification would just say Array when the reply was empty
(AD-704) - Fixed issue that stopped email addresses being deleted from departments
(AD-705) - No longer using "A staff member" when you have used the include operator name option and opened a ticket from web
(AD-706) - Fixed issue with some inline email attachments not showing
(AD-710) - Ticket reply preview box no longer shows draft messages
(AD-711) - Fixed issue where ticket reply preview would break when reply contains long strings of HTML tags
(AD-712) - Fixed issue with assign to operator dropdown on open new ticket
(AD-713) - Fixed PHP error when user opens ticket via email
(AD-714) - Fixed a 404 error within KCFinder
(AD-716) - Fixed issue where Twitter replies including a quote mark were not added properly
(AD-717) - Fixed issue with ticket filters not filtering for ticket type Twitter
(AD-719) - Fixed issue where installer claimed support and upgrades were expired when valid
(AD-720) - Fixed issue where open new ticket would email operators even when checkbox was unticked
(AD-724) - Modified retina images support to avoid 404 errors on images without a high resolution version
(AD-725) - Fixed issue where writing on both reply and note editors could break the UI
(AD-726) - Fixed issue where errors wouldn't show when adding a download
(AD-728) - Applied word-wrap on ticket replies to avoid UI issues when long strings used
(AD-730) - Fetching the user and operator avatar now uses SSL when enabled
(AD-732) - Fixed issue that allowed the same sub user to be added to two or more accounts
(AD-733) - Fixed SQL error on the SLA plans table for new installations
(AD-734) - Fixed issue where users could not login when the session ID was too long
(AD-737) - Fixed the dropdowns on the user ticket grid
(AD-738) - Fixed the lock button the ticket grid
(AD-739) - Fixed issue with the email new password to user option
(AD-740) - Fixed PHP error with add to canned responses in the ticket reply options
(AD-741) - Fixed issue that meant clicking merge field names did not add in to the editor on some pages
(AD-742) - Fixed issue where notifications would sometimes show up as undefined
(AD-743) - Fixed SQL error on the user tickets page in the frontend in certain conditions
(AD-744) - Using "&" in an email subject no longer converts it to "&"
(AD-745) - Fixed issue where parent account could not see sub user's tickets
(AD-746) - Fixed issue that let some invalid attachment types through when opening a ticket on the frontend
(AD-750) - Fixed a non-persistent XSS on the frontend search
(AD-751) - Fixed path traversal exploit
(AD-753) - Fixed blind SQL injection on the ticket grid