We are issuing an Security update for Ushahidi’s core platform. Please update your deployments with the most current security patch. (Our cloud-based service, Crowdmap, and all your Crowdmaps were updated.)
Security Update details:
SA-WEB-2012-002 – Ushahidi Web – Multiple Vulnerabilities
Some critical security vulnerability were discovered in the 2.2 release of Ushahidi. A fix has been created.
Advisory ID: SA-WEB-2012-002
Security Risk: Critical
Vulnerability: Json controller allows downloading unapproved reports. Json controller has SQL injection vulnerabilites. Markers and Json still exposed on private deployments, exposing report details.
Patch your installation with the contents of this file (patch_2.2_2012_002.zip).
How to patch your deployment:
- Unzip the patched file
- The files to change are stored in the conventional Kohana folder structure.
- Take each of the files and replace with your current files that correspond to those in the patch.
If there was a patch in a controller file and another in a view file – the folder will appear as:
In your deployment, go to you applications folder then into the respective folder, in this case the controller folder and replace your existing file_1.php with the one in the patch. Do the same for the file in the views folder.
If you have questions about the patch, you can ask on our Ushahidi developers mailing list, the Ushahidi community skype chat (add Heatherleson to join) or the forums. We also monitor github for any revisions or suggestions.
Special thanks to John Etherton for identifying a key issue and then issuing a patch.