############################################################################################# ### ### ### P A S S W O R D L O O K U P ### ### ### ### Written by: JPDeni ### ### some time before: 11 May 1999 ### ############################################################################################# # # This is a new version of the password lookup modification for DBMan, modified 18 March 1999. # I hope I've fixed whatever problems were in previous versions. # # If you have debugging set in the .cfg file, it will not send the information, but will print # the email at the bottom of the screen. Be sure to turn off debugging before you allow the # database to be accessed by anyone. # # Again I want to warn you that this removes all encryption from passwords. Be sure your # password file is not accessible to anyone but you. # ############################################################################################# # # file: default.pass # # change admin:A.f0Kvdiyy8q2:1:1:1:1:1 author:zs047RckAhJH6:1:1:1:1:0 guest:ZX9XTlIfPvdGE:1:0:0:0:0 # to admin:admin:1:1:1:1:1:foo@bar.com author:author:1:1:1:1:0:bar@foo.com guest:guest:1:0:0:0:0:far@boo.com # ############################################################################################# # # file: auth.pl # ------------------------------------------------------------- # -- change -- my ($pass, @passwd, $userid, $pw, @permissions, $file, $uid); # -- to -- my ($pass, @passwd, $userid, $pw, @permissions, $file, $uid, $email); # -- change -- ($userid, $pw, $view, $add, $del, $mod, $admin) = split (/:/, $pass); if (($in{'userid'} eq $userid) && (crypt($in{'pw'}, $pw) eq $pw)) { # -- to -- ($userid, $pw, $view, $add, $del, $mod, $admin, $email) = split (/:/, $pass); if (($in{'userid'} eq $userid) && ($in{'pw'} eq $pw)) { # -- change -- my ($username, @permissions, $permission, $name, $pw, $view, $add, $del, $mod, $admin); # -- to -- my ($username, @permissions, $permission, $name, $pw, $view, $add, $del, $mod, $admin, $email); # -- change -- PER: foreach $permission (@permissions) { ($permission =~ /^$/) and next PER; # Skip blank lines. ($permission =~ /^#/) and next PER; # Skip Comment lines. ($name, $pw, $view, $add, $del, $mod, $admin) = split (/:/, $permission); if ($username eq $name) { # -- to -- PER: foreach $permission (@permissions) { ($permission =~ /^$/) and next PER; # Skip blank lines. ($permission =~ /^#/) and next PER; # Skip Comment lines. ($name, $pw, $view, $add, $del, $mod, $admin, $email) = split (/:/, $permission); if ($username eq $name) { # ############################################################################################# # # # file: default.cfg # ------------------------------------------------------------- # -- after -- # Full path and file name of the html routines. require $db_script_path . "/html.pl"; # -- add -- # Your email address. Be sure to leave in the \ before the @ $admin_email = "you\@yourserver.com"; # The name of the database or organization that's running it $db_name = "Database Manager"; # Email program on your system $mailprog = "|/usr/lib/sendmail -t"; # -- after -- # Permissions a new signup should get. @auth_signup_permissions = (1,1,1,1,0); # -- add -- # Allow people to look up lost passwords $auth_lookup =1; # ############################################################################################# # # file: db.cgi # ------------------------------------------------------------- # -- after -- elsif ($auth_signup and $in{'signup_form'}) { &html_signup_form; } elsif ($auth_signup and $in{'signup'}) { &signup; } # -- add -- elsif ($auth_lookup and $in{'lookup_form'}) { &html_lookup_form; } elsif ($auth_lookup and $in{'lookup'}) { &lookup; } ############################################################################################# # # file: db.cgi sub admin_display # -- change -- my ($message, @lines, $line); # -- to -- my ($message, @lines, $line, $email); # -- after -- unless ((length($in{'new_username'}) >= 3) and (length($in{'new_username'}) <= 12) and ($in{'new_username'} =~ /^[a-zA-Z0-9]+$/)) { $message = "Invalid username: $in{'new_username'}. Must only contain letters and numbers and be less then 12 and greater then 3 characters."; last CASE; } unless ((length($in{'password'}) >= 3) and (length($in{'password'}) <= 12)) { $message = "Invalid password: '$in{'password'}'. Must be less then 12 and greater then 3 characters."; last CASE; } # -- add -- unless (($in{'email'}) and ($in{'email'} =~ /.+\@.+\..+/)) { $message = "Invalid email address: '$in{'email'}'."; last CASE; } open (PASSWD, "<$auth_pw_file") || &cgierr("unable to open password file. Reason: $!\n"); @passwds = ; # Let's get the user id and passwords.. close PASSWD; PASS: foreach $pass (@passwds) { # Go through each pass and see if we match.. next PASS if ($pass =~ /^$/); # Skip blank lines. next PASS if ($pass =~ /^#/); # Skip Comment lines. chomp ($pass); ($userid, $pw, $view, $add, $del, $mod, $admin,$email) = split (/:/, $pass); if ($in{'new_username'} eq $userid) { $message = "User name already in use. Try another"; last CASE; } if ($in{'email'} eq $email) { $message = "Email address already in password file."; last CASE; } } # -- delete -- my @salt_chars = ('A' .. 'Z', 0 .. 9, 'a' .. 'z', '.', '/'); my $salt = join '', @salt_chars[rand 64, rand 64]; my $encrypted = crypt($in{'password'}, $salt); # -- change -- print PASS "$in{'new_username'}:$encrypted:$in{'per_view'}:$in{'per_add'}:$in{'per_del'}:$in{'per_mod'}:$in{'per_admin'}\n"; # -- to print PASS "$in{'new_username'}:$in{'password'}:$in{'per_view'}:$in{'per_add'}:$in{'per_del'}:$in{'per_mod'}:$in{'per_admin'}:$in{'email'}\n"; # -- delete -- my $password = (split (/:/, $line))[1]; unless ($password eq $in{'password'}) { my @salt_chars = ('A' .. 'Z', 0 .. 9, 'a' .. 'z', '.', '/'); my $salt = join '', @salt_chars[rand 64, rand 64]; $password = crypt($in{'password'}, $salt); } # -- change -- print PASS "$in{'username'}:$password:$in{'per_view'}:$in{'per_add'}:$in{'per_del'}:$in{'per_mod'}:$in{'per_admin'}\n"; # -- to -- print PASS "$in{'username'}:$in{'password'}:$in{'per_view'}:$in{'per_add'}:$in{'per_del'}:$in{'per_mod'}:$in{'per_admin'}:$in{'email'}\n"; # -- after -- $password = $data[1]; # -- add -- $email = $data[7]; # -- change -- &html_admin_display ($message, $user_list, $password, $perm); # -- to -- &html_admin_display ($message, $user_list, $password, $perm, $email); ############################################################################################# # # file: db.cgi sub signup # -- change -- my $message; # -- to -- my ($userid, $email, $message); # -- after -- unless ((length($in{'pw'}) >= 3) and (length($in{'pw'}) <= 12)) { $message = "Invalid pw: '$in{'pw'}'. Must be less then 12 and greater then 3 characters."; } # -- add -- unless (($in{'email'}) and ($in{'email'} =~ /.+\@.+\..+/)) { $message = "Invalid email address: '$in{'email'}'."; } # -- change -- open (PASS, "<$auth_pw_file") or &cgierr ("unable to open: $auth_pw_file.\nReason: $!"); if ($db_use_flock) { flock(PASS, 1); } while () { /^\Q$in{'userid'}\E:/ and ($message = "userid already exists. Please try another."); } close PASS; # -- to -- open (PASSWD, "<$auth_pw_file") || &cgierr("unable to open password file. Reason: $!\n"); @passwds = ; # Let's get the user id and passwords.. close PASSWD; PASS: foreach $pass (@passwds) { # Go through each pass and see if we match.. next PASS if ($pass =~ /^$/); # Skip blank lines. next PASS if ($pass =~ /^#/); # Skip Comment lines. chomp ($pass); ($userid, $pw, $view, $add, $del, $mod, $admin,$email) = split (/:/, $pass); if ($in{'userid'} eq $userid) { $message = "User name already in use. Try another"; } if ($in{'email'} eq $email) { $message = "Email address already in password file."; } } # -- change -- srand( time() ^ ($$ + ($$ << 15)) ); # Seed Random Number my @salt_chars = ('A' .. 'Z', 0 .. 9, 'a' .. 'z', '.', '/'); my $salt = join '', @salt_chars[rand 64, rand 64]; my $encrypted = crypt($in{'pw'}, $salt); my $permissions = join (":", @auth_signup_permissions); print PASS "$in{'userid'}:$encrypted:$permissions\n"; close PASS; # -- to -- my $permissions = join (":", @auth_signup_permissions); print PASS "$in{'userid'}:$in{'pw'}:$permissions:$in{'email'}\n"; close PASS; ############################################################################################# # # file: db.cgi -- new subroutine sub lookup { # -------------------------------------------------------- my $found = 0; unless ($in{'email'} =~ /.+\@.+\..+/) { &html_lookup_form ("Invalid email address"); } else { open (PASSWD, "<$auth_pw_file") || &cgierr("unable to open password file. Reason: $!\n"); @passwds = ; # Let's get the user id and passwords.. close PASSWD; PASS: foreach $pass (@passwds) { # Go through each pass and see if we match.. next PASS if ($pass =~ /^$/); # Skip blank lines. next PASS if ($pass =~ /^#/); # Skip Comment lines. chomp ($pass); ($userid, $pw, $view, $add, $del, $mod, $admin, $email) = split (/:/, $pass); if (lc($in{'email'}) eq lc($email)) { $found=1; $mailtext = "To: $email\n"; $mailtext .= "From: $admin_email\n"; $mailtext .= "Subject: $db_name Account Information\n\n"; $mailtext .= "-" x 60 . "\n\n"; $mailtext .= "You requested your $db_name account information:\n\n"; $mailtext .= "Your $db_name User ID is: $userid\n"; $mailtext .= "Your $db_name password is: $pw\n\n"; $mailtext .= "please contact $db_name support at: $admin_email\n"; $mailtext .= "if you have any questions.\n\n"; if ($db_debug) { $message = $mailtext; } else { open (MAIL, "$mailprog") || print "Can't start mail program"; print MAIL $mailtext; close (MAIL); } last PASS; } } if ($found) { &html_lookup_success($message); } else { &html_lookup_form ("Email address $in{'email'} not found."); } } } ############################################################################################# # # file: html.pl sub html_login_form # -- before -- # -- add -- |; if ($auth_signup) { print qq|

<$font>If you don't have an account you can sign up for one online.|; } if ($auth_lookup) { print qq|

<$font>If you have forgotten your user name or password you can have it emailed to you.|; } print qq| ############################################################################################# # # file:html.pl sub html_login_failure # -- before --

# -- add -- |; if ($auth_signup) { print qq|

<$font>If you don't have an account you can sign up for one online.|; } if ($auth_lookup) { print qq|

<$font>If you have forgotten your user name or password you can have it emailed to you.|; } print qq| ############################################################################################# # # file: html.pl sub admin display # -- change -- my ($message, $user_list, $password, $permissions) = @_; # -- to -- my ($message, $user_list, $password, $permissions, $email) = @_; # -- after --

# -- add -- ############################################################################################# # # file: html.pl sub signup # -- after -- # -- add -- ############################################################################################# # # file: html.pl -- new subroutine # # note -- this subroutine is included in the "user-friendly html.pl" file. If you are using # the current version of that modification, you don't need to add this subroutine. sub html_lookup_form { # -------------------------------------------------------- # This form is displayed for users who want their user name and password # emailed to them. # my $error = shift; &html_print_headers; print qq| $html_title: Password Lookup
<$font>Change Password:
<$font>Email address:
Password:
Email address:
Password Lookup

<$font_title>Password Lookup

<$font> To have your user name and password emailed to you, enter your email address below. |; if ($error) { print qq|

<$font>$error

|; } print qq|
Email address:

|; } ############################################################################################# # # file: html.pl -- new subroutine # # note -- this subroutine is included in the "user-friendly html.pl" file. If you are using # the current version of that modification, you don't need to add this subroutine. sub html_lookup_success { # -------------------------------------------------------- # The users name and password have successfully been sent &html_print_headers; print qq| $html_title: Password Sent
$html_title: Password Sent

<$font_title>Password Sent

<$font> Your information has been sent. Please use your user name and password to log in to the database when you receive it.

User ID:
Password: 

$message
|; }