login.php in ACal Calendar Project 2.2.5 allows remote malicious users to bypass authentication by setting the ACalAuthenticate cookie variable to "inside".
acal calendar project 2.2.5