Loose comparison

[Areizen]

The following code snippet in calendar.php could allow an attacker to bypass the login.

if(!$user || $user->password != md5($password))
        return false;

Explanation : If an user password 'md5' starts with 0e an attacker can connect to the website by using any text that md5 starts by 0e since php will compare int instead of the full strings and 0e123... == 0e23... == 0

[Areizen]

You should prefer using this : if(!$user || $user->password !== md5($password))

[sproctor]

Thanks, this change will be included in 2.0.13