Recent changes to bugshttps://sourceforge.net/p/kronophobia/bugs/2004-09-06T16:17:13ZRecent changes to bugsError authenticating users2004-09-06T16:17:13Z2004-09-06T16:17:13ZJose Manuel Molinahttps://sourceforge.net/u/jmmpascual/https://sourceforge.net194e7539024a8b3d4382af64d19681890a9debe5<div class="markdown_content"><p>After installing, when I try to authentuicate as root a<br />
bad password response is returned.</p>
<p>I put the password fielto to blank in the Database and<br />
authenticating with no password worked, I created one<br />
user and tried to login with it, It also failed.</p>
<p>I wandered through the code and found some things whose<br />
pourpouse I dont fully understand.</p>
<p>In the install script the sequence with the root<br />
password is:</p>
<p>$password = "calendar";<br />
$password = $security->encryption($password);<br />
$password = base64_encode($password);</p>
<p>ok, you end up with a encrypted and base64 encoded<br />
password.</p>
<p>then, at the login.php script the code is: </p>
<p>$db_password = $query_data->password;<br />
$db_password = $security->decryption($db_password);<br />
if($password == $db_password) .............</p>
<p>I think it should b better to do (in fact, I have<br />
modified the script and this works fine): <br />
$db_password = $query_data->password;<br />
$password = $security->encryption($password);<br />
$password = base64_encode($password);<br />
if($password == $db_password) .............</p>
<p>I haven't studied the code in this script, but..... you<br />
perform this same thing in two places, I think you<br />
could manage to perfomr this in only one place,<br />
rethinking the ifs should be enough.</p>
<p>One thing more, is that, the encryption you perform is<br />
not a one way encription(althoug as you have seen the<br />
way you perform authentication doesn't work for me), If<br />
I get the encrypted value in the DB, I can get the<br />
password simply by passing that value to a php script.</p>
<p>If you used a one way encryption solution, a brute<br />
force attack would be necesary as you cannot retrieve<br />
the password form the encrypted form, and so, the<br />
proccess to authenticate is the one I put instead of yours.</p>
<p>I'm using </p>
<p>Windows 2000 Prof, adv sever, and XP home (same<br />
behaviour in all of them)</p>
<p>Postgresql 8 beta</p>
<p>Php 4.3.5</p>
<p>Thanks.</p></div>Short Page header still has BCS initials2003-10-08T21:02:19Z2003-10-08T21:02:19ZCoryJhttps://sourceforge.net/u/k12linux/https://sourceforge.neta5f47961086699d213a78173ab19c6cb477da98e<div class="markdown_content"><p>On some pages, v1.1-r3 uses BCS for school initials<br />
instead of user-configured initials.</p></div>