imap authentication plugin 0.6

Mark Quinn pointed out back in August, that the imap authentication plugin suffered from a rather serious security risk. If you knew that a site was using it, you could create cookie that would let you in without having to know a user’s real password. (You did have to know a valid user’s account name).

So I’ve added a Secret Key to the imap options. This key is used to secure the cookie that is created, and will make it almost impossible for outsiders to create cookie to fool wordpress into letting them in. Users with a valid cookie (but they want to fake a login as a different user) will have to do a time consuming brute force attack of their own cookie to determine the Secret Key. (which they could then use to create a valid login cookie for another user account)

4 comments on “imap authentication plugin 0.6

  1. Pingback: Nurm’s blog » Blog Archive » imap authentication plugin

  2. hello, thank for the update. the plugin works well with 2.0 version, but not in 2.1
    has wordpress change his scheme of authentification? thank you for your answer

  3. I’m surprise that it worked for 2.0 at all! Yes, there’s probably some update on the WP API side that needs to be accounted for, but I don’t have a WP 2.1 install to test the plugin with :-(

    (yes, I know I should upgrade my blog to 2.1, but I plead no-free-time)

  4. This plugin is exactly what I was looking for. I downloaded 2.2 today and it also doesn’t work with that, either. Do you have any plans to update it soon? If not, I may take a crack at updating it (I haven’t written a WordPress plugin before; but, I’ve done enough PHP that I don’t expect it to be a terrible problem).

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>