Security

Security Advisories posted by the Ushahidi team covering the Ushahidi Platform, Crowdmap & SwiftRiver.

Ushahidi is an open source software project. We aim to make the platform as secure as possible. It is your responsibility to train your users, test security and build privacy requirements for your project. While we try to create great software, the old adage applied: Sometimes there will be bugs; we will fix them and advise you.

  • Vulnerability: Forgotten password challenge guessable Submitted: 20 November 2012 Advisory ID: SA-WEB-2012-008 Risk: Highly Critical Platform: Ushahidi (Web) Fixes security issue discovered by Timothy D. Morgan.  Forgotten password challenges were guessable based on users last login and email address. Tokens are now generated based on a HMAC of login time and email address using a salt and secret key specifically for these tokens. Reference: CVE-2012-5618. Instructions: This vulnerability can be …
  • Multiple Vulnerabilities: SQL Injections, XSS, API data exposure Submitted: 01 August 2012 Advisory ID: SA-WEB-2012-007 Risk: Highly Critical Platform: Ushahidi-Web The following security issues are fixed in v2.5 with the help of OWASP Portland: The following security issues are fixed in 2.5 thanks to help from OWASP Portland: Multiple SQL injections. Discovered by postmodern, Kees Cook and Timothy D. Morgan. Multiple SQL injections have been found and the queries fixed. CVE-2012-3468 – issues discovered by …
  • Single Vulnerability: XSS Submitted: 30 May 2012 Advisory ID: SA-WEB-2012-006 Risk: Highly Critical Platform: Ushahidi-Web Details of an XSS exploit were posted on exploits DB some time ago (http://www.exploit-db.com/exploits/18737/). This was initial fixed with a quick patch to the user admin view. However XSS vulnerabilities were still present in other views and fields.The affected views have been patched with additional output filtering to prevent XSS. Instructions: This …
  • Single Vulnerability: Unauthorized access to admin API functions Submitted: 09 May 2012 Advisory ID: SA-WEB-2012-005 Risk: Highly Critical Platform: Ushahidi-Web A vulnerability has been discovered in the Ushahidi Admin API. The vulnerability allows unauthorized users to access the admin api functions, including viewing non-approved reports. Any user with a member role was being allowed access, rather than only admin roles. Who is affected: All deployments that have users with the member role …
  • Single Vulnerability: Insecure session storage / Insecure cryptographic storage Submitted: 30 April 2012 Advisory ID: SA-WEB-2012-004 Risk: Highly Critical Platform: Ushahidi-Web On April 27, 2012, Dennison WIlliams reported a security vulnerability with the Ushahidi web application. The vulnerability allows unauthorized users to gain admin access to Ushahidi deployments through a fake authentication cookie. Session data was stored in a cookie, and while encrypted, the encryption key is never changed. This leads …
  • Multiple Vulnerabilities: CSRF and XSS Submitted: 13 April 2012 Advisory ID: SA-WEB-2012-003 Risk: Critical Platform: Ushahidi-Web On April 13, 2012, Exploit DB reported two security vulnerabilities with the Ushahidi web application. The two issues discovered were Cross-site Request Forgery and the Cross-site Scripting. In our investigation, we found that the patch had been completed but had not been added to download.ushahidi.com. These changes have been incorporated. Instructions: Download and unzip patch_2.2.1, attached to this …
  • Multiple Vulnerabilities: JSON controllers; exposed report details Submitted: 03 April 2012 Advisory ID: SA-WEB-2012-002 Risk: Critical Platform: Ushahidi-Web Some critical security vulnerabilities were discovered in the 2.2 release of Ushahidi. Vulnerabilities:  JSON controller allows downloading unapproved reports. JSON controller has SQL injection vulnerabilites. Markers and JSON still exposed on private deployments, exposing report details. Instructions: Upgrade to the latest platform release, version 2.2.1, or Download and apply the patch supplied with this post, replacing the current files …
  • Multiple Vulnerabilities: HTML injections into web servers Submitted: 09 March 2012 Advisory ID: SA-WEB-2012-001 Risk: Highly Critical Platform: Ushahidi-Web We alerted to the fact that it was possible to inject HTML into the web servers response to alter the content to the end user. Instructions: Unzip patch.zip Upload the files to your installation replacing each file by appropriate directory. MD5: 5a0180dddb8a75ccc402dc36bc5d7ff1 Version: 2.1.0 File: Download
  • Single Vulnerability: Unapproved reports show up in search Submitted: 12 December 2011 Advisory ID: USHAHIDI-SA-WEB-2011-002 Risk: Critical Platform: Ushahidi-Web Instructions: Replace /application/controllers/search.php with this file. MD5: 2b2d2d09b44608ea669b35c8c4c29f11 Version: 2.1.0
  • Single Vulnerability: Cross Site Scripting (XSS) Submitted: 10 June 2011 Advisory ID: Advisory ID: USHAHIDI-SA-WEB-2011-001 Risk: Moderately Critical Platform: Ushahidi-Web We were recently contacted by Gjoko Krstic from the Zero Science Lab about a vulnerability in the Admin dashboard. This vulnerability allows for a specially crafted URL to inject SQL code. A patch has been posted and we recommend that you update your dashboard file immediately. MD5: Version: 2.0.1 Security patch: http://dev.ushahidi.com/issues/show/2195