We are issuing an Security update for Ushahidi’s core platform. Please update your deployments with the most current security patch. (Our cloud-based service, Crowdmap, and all your Crowdmaps were updated.)

Security Update details:

SA-WEB-2012-002 – Ushahidi Web – Multiple Vulnerabilities

Some critical security vulnerability were discovered in the 2.2 release of Ushahidi. A fix has been created.

Advisory ID: SA-WEB-2012-002
Project: Ushahidi-Web
Version: 2.2
Date: 2012-04-04
Security Risk: Critical
Vulnerability: Json controller allows downloading unapproved reports. Json controller has SQL injection vulnerabilites. Markers and Json still exposed on private deployments, exposing report details.

Fix/Patch:
Patch your installation with the contents of this file (patch_2.2_2012_002.zip).

Instructions:

Unzip patch_2.2

MD5: 9ec54351b1c4a978999b0f2d2566ad73

How to patch your deployment:

  • Unzip the patched file
  • The files to change are stored in the conventional Kohana folder structure.
  • Take each of the files and replace with your current files that correspond to those in the patch.

Example:

If there was a patch in a controller file and another in a view file – the folder will appear as:
application
controllers
file_1.php
views
file_2.php

In your deployment, go to you applications folder then into the respective folder, in this case the controller folder and replace your existing file_1.php with the one in the patch. Do the same for the file in the views folder.

Questions

If you have questions about the patch, you can ask on our Ushahidi developers mailing list, the Ushahidi community skype chat (add Heatherleson to join) or the forums. We also monitor github for any revisions or suggestions.

Special thanks to John Etherton for identifying a key issue and then issuing a patch.

Thank you.