Security Update: http-authentication Plugin

I just tagged version 1.2 of the http-authentication plugin, which includes a security fix. Users of previous versions are urged to upgrade.

Previously it was possible for one authorized user to impersonate another by forging their WordPress login cookie. A malicious user would need to be authorized via your external authentication mechanism first. Thanks to Mark Quinn for reporting this.

I apologize for the inconvenience. If you have any questions, post them here or, if they are security sensitive, email me.

Update: When you upgrade, please edit each user’s profile in WordPress to scramble his or her password in the database.


Comment from Bill on

Hi, will you be updating the auth plugin for WordPress 2.0?

Or, maybe it’ll “just work?”


Comment from dwc on

I’ll be updating the plugin soon. One person sent in a patch which should help, but I need to do some testing first.