Security Update for Ushahidi

Ushahidi
Apr 4, 2012

We are issuing an Security update for Ushahidi's core platform. Please update your deployments with the most current security patch. (Our cloud-based service, Crowdmap, and all your Crowdmaps were updated.)

Security Update details:

SA-WEB-2012-002 – Ushahidi Web – Multiple Vulnerabilities Some critical security vulnerability were discovered in the 2.2 release of Ushahidi. A fix has been created. Advisory ID: SA-WEB-2012-002 Project: Ushahidi-Web Version: 2.2 Date: 2012-04-04 Security Risk: Critical Vulnerability: Json controller allows downloading unapproved reports. Json controller has SQL injection vulnerabilites. Markers and Json still exposed on private deployments, exposing report details. Fix/Patch: Patch your installation with the contents of this file (patch_2.2_2012_002.zip). Instructions: Unzip patch_2.2 MD5: 9ec54351b1c4a978999b0f2d2566ad73

How to patch your deployment:

Unzip the patched file

The files to change are stored in the conventional Kohana folder structure.

Take each of the files and replace with your current files that correspond to those in the patch.

Example: If there was a patch in a controller file and another in a view file - the folder will appear as: application controllers file_1.php views file_2.php In your deployment, go to you applications folder then into the respective folder, in this case the controller folder and replace your existing file_1.php with the one in the patch. Do the same for the file in the views folder.

Questions

If you have questions about the patch, you can ask on our Ushahidi developers mailing list, the Ushahidi community skype chat (add Heatherleson to join) or the forums. We also monitor github for any revisions or suggestions. Special thanks to John Etherton for identifying a key issue and then issuing a patch. Thank you.