imap authentication plugin 0.6
Mark Quinn pointed out back in August, that the imap authentication plugin suffered from a rather serious security risk. If you knew that a site was using it, you could create cookie that would let you in without having to know a user’s real password. (You did have to know a valid user’s account name).
So I’ve added a Secret Key to the imap options. This key is used to secure the cookie that is created, and will make it almost impossible for outsiders to create cookie to fool wordpress into letting them in. Users with a valid cookie (but they want to fake a login as a different user) will have to do a time consuming brute force attack of their own cookie to determine the Secret Key. (which they could then use to create a valid login cookie for another user account)
December 4th, 2005 at 11:11 pm
[...] Update #3: Version 0.6 [...]
March 8th, 2007 at 12:19 pm
hello, thank for the update. the plugin works well with 2.0 version, but not in 2.1
has wordpress change his scheme of authentification? thank you for your answer
March 9th, 2007 at 1:53 pm
I’m surprise that it worked for 2.0 at all! Yes, there’s probably some update on the WP API side that needs to be accounted for, but I don’t have a WP 2.1 install to test the plugin with
(yes, I know I should upgrade my blog to 2.1, but I plead no-free-time)
June 23rd, 2007 at 2:27 am
This plugin is exactly what I was looking for. I downloaded 2.2 today and it also doesn’t work with that, either. Do you have any plans to update it soon? If not, I may take a crack at updating it (I haven’t written a Wordpress plugin before; but, I’ve done enough PHP that I don’t expect it to be a terrible problem).