Skip to end of metadata
Go to start of metadata
Submitted1 May 2013
Advisory IDCVE-2013-2025
RiskHIghly Critical
PlatformUshahidi
Version2.5.X, 2.6.1

Description:

We discovered an exploitable XSS issue logged against 2.6.1: https://github.com/ushahidi/Ushahidi_Web/issues/1009.

Instructions:

As always, we highly recommend an update to our latest version of the software, which covers these issues.

  1. Download and unzip (patch file), attached to this alert
  2. Upload and replace your current files in the folders that correspond to those in the patch
  3. Update your config.php with new config settings: https://wiki.ushahidi.com/display/WIKI/Migrating+to+Ushahidi+2.7#MigratingtoUshahidi2.7-xss-config-settings

If you have a custom theme, update your theme to use new helper functions:

html::escape($input) - Escape HTML entities. Use this to replace calls to htmlentities()
html::strip_tags($input, $escape = TRUE) - strip all tags. Optionally escapes HTML entities too. Replace any use of strip_tags() with this function
html::clean($input) - Limit HTML tags to only whitelisted elements. Use this on an user submitted data ie report description/title/etc
You can see all the changes made to the default theme here: https://gist.github.com/rjmackay/5448126

Download (ZIP; click to download)md5
ushahidi_2.5.x_secfix_2013-001.zip12cf063d2d87ea7794d52da708e3f1c3
ushahidi_2.6.x_secfix_2013-001.zipbefa02b7d80974e47310dc77578f71f6