A potential security issue has been discovered with the AutoSave plugin in the habari-extras repository. If exploited, the cracker could potentially add new posts to your blog with out being an authenticated user. The updated plugin, version 0.1.2, adds a check to make sure the user is authenticated. The development version of the plugin, "trunk", for the upcoming Habari 0.7 has been rendered inoperable since it does not account for the new ACL system; Meaning any authenticated user, whether or not they had permissions, could add new posts. We are still looking for volunteers to fix the ACL problem.
Current users of the AutoSave plugin should update now.
The Habari Community takes security seriously and believes that openness provides the best security. When a security exploit is discovered, we consider it of the highest importance to correct the problem and notify users of the affected code as soon as possible. This policy applies equally to code in our core software and code in the -extras repository, as any security problem is a problem for the community as a whole.
While the testing for our core software is held to very rigorous standard, we think that we need to be as proactive and open with issues in the code contributed to the habari-extras repository. We have held that the -extras repository code should all be potential candidates for inclusion in the core software. Therefore we have an obligation, as a community, to take security as seriously in -extras as we do in core and to support the developers who contribute code to the Habari Community regardless of where that code is.
If you become aware of a security issue in any Habari component, please let us know. Specifics on how to report a security issue can be found on the Wiki.