phpsched-disc Mailing List for phpSched
Brought to you by:
lim
Menu
▾
▴
phpsched-disc
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|---|
|
From: Philip R. <chr...@ya...> - 2002-07-11 21:06:33
|
Hi, I'm writing to see if phpSched is currently being maintained, and if so, is anyone subscribed to the mailing list? I've entered a bug, a feature request, and an ill-advised patch into the SourceForge database and have yet to receive any replies after several months, so essentially i infer i'm on my own hacking around this code. That's disappointing, because it really does seem like a really useful project. Thanks, Philip Reed __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com |
|
From: Philip R. <chr...@ya...> - 2002-02-26 12:01:57
|
First of all, is anybody else on this list? :-) I see no evidence from the archive that anyone has ever used it.... At any rate, i'm trying to fix an issue (Bug #512491) that occurred when i installed for the first time. I was able to get around it with a hack to bootstrap myself so that i could change the admin password from "", and this issue only comes up when the password is blank. Still, i'm quite surprised that no one else has reported this, which makes me curious if it's something about my setup (i'm using PHP4 but hacked Apache's httpd.conf to treat .php3 files as PHP4; i can't imagine that would have anything to do with this issue but who knows?). Be that as it may, i'm now attempting a fix.... and hitting the following problems: 1. When auth.inc.php3 sends the redirection header to chpass.php3, apparently chpass has a new set of global variables, so it's no use setting a global to say that auth has already been loaded. 2. So i thought about passing a variable in the URL, which seems to work OK, but constitutes a fairly serious security hole! Any rogue user could put the chpass URL followed by "?redir=1" into their browser and be given the right to change the password. That's not good! 3. So now i'm flirting with hacking chpass to pull out the existing password and only circumvent the authentication stuff if a. it's been redirected AND b. the existing pw is "". I was also trying to brainstorm if there was some way to use encryption to pass along the password as part of the URL, but i don't see that that helps any -- we'd still need to check it against the database, i assume. So anyway, i would appreciate any pointers, opinions, etc. on how to go about fixing this. And apologies in advance for posting my untested patch -- that was a very dumb thing for me to do. Thanks, Philip __________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com |
