| Submitted | 20 November 2012 |
| Advisory ID | SA-WEB-2012-008 |
| Risk | Highly Critical |
| Platform | Ushahidi (Web) |
Description:
Fixes security issue discovered by Timothy D. Morgan. Forgotten password challenges were guessable based on users last login and email address. Tokens are now generated based on a HMAC of login time and email address using a salt and secret key specifically for these tokens. Reference: CVE-2012-5618.
Instructions:
This vulnerability can be fixed by upgrading to 2.6.1. An upgrade to our this latest version is highly recommended.
| Download (ZIP; click to download) | md5 |
|---|---|
| Ushahidi v2.6 -> 2.6.1 | 6a1ef328dce55dfa2218fe81d1269a18 |
| Ushahidi v2.6 (full application) | 75eec9678f04ad9245c1b267bca55980 |
For users who cannot upgrade for whatever reasons, you can patch your install with the patches available below.
| Download (ZIP) | md5 |
|---|---|
| Patch for v2.6 and earlier | d4b3055ab60457155ae21231f3e286fc |