* Adam Armstrong adama@memetic.org [2013-08-19 22:09]:
Hi,
I've done a bit of rewriting of the authentication system. At first it wasn't properly authing for everyone, but that's fixed now.
You should all upgrade, it's quite an important update that fixes a pretty nasty security problem :)
Which one? The one you first tried to silently fix in the 4304 revision together with some other 90 files?
r4304 "print_r() -> print_vars() which calls print_r or r()/rt() depending upon environment. new remember me function (this is super important)"
Hm, it doesn't mention a security problem but none the less, saving the password in the session and also in a cookie is probably not the best idea, yes...
setcookie("password", $_SESSION['password'], time()+60*60*24*100, "/");
http://fisheye.observium.org/browse/Observium/html/includes/authenticate.inc...
So we come to quality checks again...
Seriously, reconsider your release strategy and the way you inform people about problem that could impact their security, please.
Sebastian