The information in this wiki hasn't been maintained for a good while. Some of the projects described have since been deprecated.

In particular, the "Ushahidi Platform v3.x" section contains information that is often misleading. Many details about this version of Platform have changed since.

This website is an extraction of the original Ushahidi wiki into a static form. Because of that, functions like logging in, commenting or searching will not work.

For more documentation, please refer to

Skip to end of metadata
Go to start of metadata

Security updates

Vulnerability: Forgotten password challenge guessable.

The forgotten password challenge uses a combination of user email address and timestamp from when they last logged in and then hashes this information using the standard password hash of the application.  This challenge is not stored anywhere, since it is possible to verify the hash by repeating the hashing operation after receiving the hash in the URL.  The application simply extracts the hash salt, retrieves the email address and last login time, and recomputes the hash.  Because of this approach, the hash's random salt does not add to the challenge's entropy in any way.  An attacker could simply guess the last time a user logged in along with their email address, select any salt they want, and then generate the appropriate hash.

UTF8 Fixes
Some calls to escape HTML could not handle UTF8 characters, this has been corrected.

Map loading issues
GeoJSON used to load maps was failing to render if a deployment had reports without locations, these are now ignored.
Maps on individual reports pages were not loading, the JS error causing this is now fixed.
Openlayers TMS support wasn't included in 2.6, this has been reinstated to ensure the Cloudmade plugin works.

Custom forms
Fix issues with loading custom form fields on deployments using table prefixes

Fixed PHP errors when signing up for mobile alerts

Fixed "more information" links in the reports listing