« Finally.
Updating http-authentication For WordPress 2.0 »

Security Update: http-authentication Plugin

I just tagged version 1.2 of the http-authentication plugin, which includes a security fix. Users of previous versions are urged to upgrade.

Previously it was possible for one authorized user to impersonate another by forging their WordPress login cookie. A malicious user would need to be authorized via your external authentication mechanism first. Thanks to Mark Quinn for reporting this.

I apologize for the inconvenience. If you have any questions, post them here or, if they are security sensitive, email me.

Update: When you upgrade, please edit each user’s profile in WordPress to scramble his or her password in the database.

This entry was posted on Wednesday, August 24th, 2005 at 5:52 pm and is filed under Plugins, WordPress. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Security Update: http-authentication Plugin”

  1. Bill Says:
    January 6th, 2006 at 1:45 pm

    Hi, will you be updating the auth plugin for Wordpress 2.0?

    Or, maybe it’ll “just work?”

    Thanks.

  2. dwc Says:
    January 6th, 2006 at 3:29 pm

    I’ll be updating the plugin soon. One person sent in a patch which should help, but I need to do some testing first.

Leave a Reply