Security Update: http-authentication Plugin

Posted on Aug 24
2 comments

I just tagged version 1.2 of the http-authentication plugin, which includes a security fix. Users of previous versions are urged to upgrade.

Previously it was possible for one authorized user to impersonate another by forging their WordPress login cookie. A malicious user would need to be authorized via your external authentication mechanism first. Thanks to Mark Quinn for reporting this.

I apologize for the inconvenience. If you have any questions, post them here or, if they are security sensitive, email me.

Update: When you upgrade, please edit each user’s profile in WordPress to scramble his or her password in the database.

Comments

Comment from Bill on Jan 6

Hi, will you be updating the auth plugin for WordPress 2.0?

Or, maybe it’ll “just work?”

Thanks.

Comment from dwc on Jan 6

I’ll be updating the plugin soon. One person sent in a patch which should help, but I need to do some testing first.