Ushahidi

Single Vulnerability: Insecure session storage / Insecure cryptographic storage

Advisory ID: SA-WEB-2012-004
Risk: Highly Critical
Platform: Ushahidi-Web

On April 27, 2012, Dennison WIlliams reported a security vulnerability with the Ushahidi web application. The vulnerability allows unauthorized users to gain admin access to Ushahidi deployments through a fake authentication cookie. Session data was stored in a cookie, and while encrypted, the encryption key is never changed. This leads to any Ushahidi session cookie being valid and usable on any other Ushahidi installation.

This vulnerability is fixed in Ushahidi 2.3.1 including setting the encryption key on new installs, and warning users who haven’t taken security measures. Alternatively existing users can patch their deployment with the fix linked below.

Instructions:

• This vulnerability can be fixed by upgrading to 2.3.1 and setting a unique encryption key
• For users who can't do a full upgrade (ie. if you are running an early Ushahidi version) you can patch your install with the fix below:
  • Download and unzip patch_2.3_2012_004.zip, attached to this post
  • Upload and replace your current files in the folders that correspond to those in the patch.
  • Run the sql update file: sql/upgrade-2012-004.sql
  • IMPORTANT: Once the files are in place, edit application/config/encryption.php and set a unique encryption key

• MD5: 2e18077e669950004c084478ef3a825f
• Version: 2.3+
• File: Download