The (1) reports API and (2) administration feature in the comments API in the Ushahidi Platform before 2.5 do not require authentication, which allows remote attackers to generate reports and organize comments via API functions.
Weakness
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ushahidi_platform | Ushahidi | * | 2.4.1 (including) |
| Ushahidi_platform | Ushahidi | 1.0 (including) | 1.0 (including) |
| Ushahidi_platform | Ushahidi | 1.2 (including) | 1.2 (including) |
| Ushahidi_platform | Ushahidi | 2.0 (including) | 2.0 (including) |
| Ushahidi_platform | Ushahidi | 2.1 (including) | 2.1 (including) |
| Ushahidi_platform | Ushahidi | 2.2 (including) | 2.2 (including) |
| Ushahidi_platform | Ushahidi | 2.2.1 (including) | 2.2.1 (including) |
| Ushahidi_platform | Ushahidi | 2.3.1 (including) | 2.3.1 (including) |
| Ushahidi_platform | Ushahidi | 2.3.2 (including) | 2.3.2 (including) |
| Ushahidi_platform | Ushahidi | 2.4 (including) | 2.4 (including) |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/114.html
- https://cwe.mitre.org/data/definitions/115.html
- https://cwe.mitre.org/data/definitions/151.html
- https://cwe.mitre.org/data/definitions/194.html
- https://cwe.mitre.org/data/definitions/22.html
- https://cwe.mitre.org/data/definitions/57.html
- https://cwe.mitre.org/data/definitions/593.html
- https://cwe.mitre.org/data/definitions/633.html
- https://cwe.mitre.org/data/definitions/650.html
- https://cwe.mitre.org/data/definitions/94.html
References
- http://openwall.com/lists/oss-security/2012/08/09/5
- https://github.com/ushahidi/Ushahidi_Web/commit/13ca6f4
- https://github.com/ushahidi/Ushahidi_Web/commit/f67f4ad
- http://openwall.com/lists/oss-security/2012/08/09/5
- https://github.com/ushahidi/Ushahidi_Web/commit/13ca6f4
- https://github.com/ushahidi/Ushahidi_Web/commit/f67f4ad