https://sourceforge.net/p/kronophobia/bugs/Recent changes to bugsenMon, 06 Sep 2004 16:17:13 -0000https://sourceforge.net/p/kronophobia/bugs/2/<div class="markdown_content"><p>After installing, when I try to authentuicate as root a<br /> bad password response is returned.</p> <p>I put the password fielto to blank in the Database and<br /> authenticating with no password worked, I created one<br /> user and tried to login with it, It also failed.</p> <p>I wandered through the code and found some things whose<br /> pourpouse I dont fully understand.</p> <p>In the install script the sequence with the root<br /> password is:</p> <p>$password = "calendar";<br /> $password = $security-&gt;encryption($password);<br /> $password = base64_encode($password);</p> <p>ok, you end up with a encrypted and base64 encoded<br /> password.</p> <p>then, at the login.php script the code is: </p> <p>$db_password = $query_data-&gt;password;<br /> $db_password = $security-&gt;decryption($db_password);<br /> if($password == $db_password) .............</p> <p>I think it should b better to do (in fact, I have<br /> modified the script and this works fine): <br /> $db_password = $query_data-&gt;password;<br /> $password = $security-&gt;encryption($password);<br /> $password = base64_encode($password);<br /> if($password == $db_password) .............</p> <p>I haven't studied the code in this script, but..... you<br /> perform this same thing in two places, I think you<br /> could manage to perfomr this in only one place,<br /> rethinking the ifs should be enough.</p> <p>One thing more, is that, the encryption you perform is<br /> not a one way encription(althoug as you have seen the<br /> way you perform authentication doesn't work for me), If<br /> I get the encrypted value in the DB, I can get the<br /> password simply by passing that value to a php script.</p> <p>If you used a one way encryption solution, a brute<br /> force attack would be necesary as you cannot retrieve<br /> the password form the encrypted form, and so, the<br /> proccess to authenticate is the one I put instead of yours.</p> <p>I'm using </p> <p>Windows 2000 Prof, adv sever, and XP home (same<br /> behaviour in all of them)</p> <p>Postgresql 8 beta</p> <p>Php 4.3.5</p> <p>Thanks.</p></div>Jose Manuel MolinaMon, 06 Sep 2004 16:17:13 -0000https://sourceforge.net194e7539024a8b3d4382af64d19681890a9debe5https://sourceforge.net/p/kronophobia/bugs/1/<div class="markdown_content"><p>On some pages, v1.1-r3 uses BCS for school initials<br /> instead of user-configured initials.</p></div>CoryJWed, 08 Oct 2003 21:02:19 -0000https://sourceforge.neta5f47961086699d213a78173ab19c6cb477da98e