Important Update for the PHP class Access User
Today our partner site finalwebsites.com has announced an important update for the Access_user class. The update is a security update to make the script more safe against computer hacker. While there is not really a problem for existing, working applications, it’s advised to update applications very soon.
The release information:
This is an important (security related) update, in previous versions hackers can guess common and repeating passwords from user. While the “forgotten password” function was based on the password and the user id, it could be possible to change the password for some user (if the hacker knows the users id and the right password). The risk is not very high for most installations but could be work out some trouble. The new version doesn’t use the password for validation anymore. The login name (encrypted) is used together with some “secret” secret string. AU class user can replace the class file but need to update the method calls in the activate password script. You need to add the constant variable SECRET_STRING to the db_config.php file.
Download the updated version from the PHP class here.
For further questions about the class post them to the official support forum.
I’m glad I stumbled across this post as I use the Access user class. This is one of the reasons why I tend to steer clear of software that is publically available. Although I do use vBulletin as well.