I have updated the plugin to deal with this security issue.

Indeed. It could be ’secured’ a bit more by adding a secret keyword in login and check_password functions that is only known to the server admin. Unfortuantly this ‘fix’ is still open to offline brute force attacks.

I like the plugin, but I think it has some serious security issues (that come from the http-authentication plugin). Because the check passwords function simply sets both passwords to the username, the security can be bypassed with some trivially forged cookies. The value set as the password needs to be something that the user doesn’t already know.

Thanks for the reply, that was it, I had a space after the ‘?>’ on the last line. I had no idea PHP was so picky, I’m a perl guy myself. Anyway, great plugin, thanks a lot.

You probably find that the file has a blank line at the bottom, make sure that the closing ‘?>’ is the final two bytes in the file, and that there isn’t a newline afterwards.

I’m trying to set this up with WordPress 1.5.2, fresh install, nothing out of the ordinary and as soon as I enable the plugin, I get lines like this everywhere:

Warning: Cannot modify header information – headers already sent by (output started at /usr/local/var/www/internal/news/wp-content/plugins/imap-authentication.php:153) in /usr/local/var/www/internal/news/wp-admin/admin.php on line 10

Warning: Cannot modify header information – headers already sent by (output started at /usr/local/var/www/internal/news/wp-content/plugins/imap-authentication.php:153) in /usr/local/var/www/internal/news/wp-admin/admin.php on line 11

Warning: Cannot modify header information – headers already sent by (output started at /usr/local/var/www/internal/news/wp-content/plugins/imap-authentication.php:153) in /usr/local/var/www/internal/news/wp-admin/admin.php on line 12

Warning: Cannot modify header information – headers already sent by (output started at /usr/local/var/www/internal/news/wp-content/plugins/imap-authentication.php:153) in /usr/local/var/www/internal/news/wp-admin/admin.php on line 13

Any Idea? I have the same problem with the http authentication module.

If you’ve got a tool like netcat, or tcpdump, try and see what data is being sent to the mail server. I’m guessing that it’s probably trying to enable TLS and the server doesn’t support it.

It keeps saying I have an incorrect password.

I can telnet like this just fine:
telnet your.imap.host.com 143
* OK [CAPABILITY IMAP4REV1...]
1 LOGIN “your_username” “your_password”
1 OK [CAPABILITY...] … User your_username authenticated

I have {my.imap.host.com:143}INBOX as my mailbox and no user suffix, yet it doesn’t work.

Any ideas?

[...] Through Photo Matt, here are two auth plugins which are interesting: * HTTP auth * IMAP auth

 
Leave a Reply [...]

FYI for readers, it’s in the Plugin Repository here:

http://svn.wp-plugins.org/imap-authentication/trunk/