E-mail, FTP, and SQL Password Changer - Updated

[Dolomike]

This version is no longer maintained

Please see this thread for a newer (and better) version.


Hi,

I've expanded an existing e-mail password changer located here to include the ability to change FTP and SQL passwords as well. It also does some simple password validity checking.

You can find the code for password changer here: http://www.isp-control.net/documentation...rd_changer

I installed mine under tools/passwordchanger/index.php.

Feel free to update or fix any errors.

Dolomike

[Gleno0h]

Thanks, works great.

I suggest you make the "Password changed" text green though.

Thanks for this!

[gOOvER]

Great Work. Thanks for your contribution

[Gleno0h]

I've also translated this into dutch, i hope/asume you dont mind.
+ it has green succes message
(some things like mysql functions arnt translated, not needed i think ...

PHP Code:

<?php
/*
*  ispcp Password Changer
*  author: dolomike
*  translation: Gleno0h
*  language: Dutch
*  Version: 0.1
*
*  Feel free to modify and distribute
*
*  Based on http://www.isp-control.net/documentation/doku.php?id=howto:mail:change_webmailpass
*  Modified to allow password changes to e-mail, ftp, and SQL users
*  Does not require adodb but uses built in ispCP functions
*  Added javascript to check password entry requirements before submit
*/
require '../../include/ispcp-lib.php';

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>IspCP Wachtwoord Veranderen</title>
<meta name="robots" content="noindex,nofollow">
<link rel="stylesheet" type="text/css" href="/webmail/themes/css/omega.css">
<style type="text/css">
<!--
body, td, input, select, textarea {
    font-family:Tahoma, Geneva, sans-serif;
    font-size:9px;
}
input, textarea, select {
    border:#7f9db9 1px solid;
    padding:0px;
}
-->
</style>
<script type="text/javascript">
  function checkForm(form)
  {
    // Check of de gebruikersnaam leeg is
    if(form.username.value == "") {
      alert("Error: Gebruikersnaam is leeg");
      form.username.focus();
      return false;
    }

    // Check of er ongeldige tekens in de gebruikersnaam gebruikt worden
    //if (form.ptype.value != "sql")
    //{
    //  re = /^\w+$/;
    //  if(!re.test(form.username.value)) {
    //    alert("Error: Gebruikersnaam mag alleen letters, cijfers en sommige tekens bevatten.");
    //    form.username.focus();
    //    return false;
    //  }
    //}

    // Check of het oude wachtwoord veld leeg is
    if(form.oldpass.value == "") {
      alert("Error: Oude wachtwoord niet ingevult.");
      form.oldpass.focus();
      return false;
    }

    // Check of het nieuwe wachtwoord veld leeg is
    if(form.newpass.value == "") {
      alert("Error: Nieuw wachtwoord niet ingevult.");
      form.newpass.focus();
      return false;
    }

    // Check of het nieuwe herhaalde wachtwoord veld leeg is
    if(form.newpassr.value == "") {
      alert("Error: Please repeat the new password!");
      form.newpassr.focus();
      return false;
    }

    // Er zeker van zijn dat het wachtwoord minstens 1 cijfer heeft
    re = /[0-9]/;
    if(!re.test(form.newpass.value)) {
       alert("Error: het wachtwoord moet minstens 1 cijfer hebben (0-9)!");
       form.newpass.focus();
       return false;
     }

    // Er zeker van zijn dat het wachtwoord minsten 1 kleine letter heeft
    re = /[a-z]/;
    if(!re.test(form.newpass.value)) {
      alert("Error: het wachtwoord moet minimaal 1 kleine letter hebben (a-z)!");
      form.newpass.focus();
      return false;
    }

    // Check of de wachtwoord lengte klopt
    if (form.ptype.value == "sql")
    {
      if((form.newpass.value.length < 1) || (form.newpass.value.length > 32)) {
      alert("Error: Wachtwoord moet tussen 1 en 32 tekens hebben");
      form.newpass.focus();
      return false;
      }
    }
    else
    {
      if((form.newpass.value.length < 6) || (form.newpass.value.length > 15)) {
        alert("Error: Wachtwoord moet tussen 6 en 15 tekens hebben");
        form.newpass.focus();
        return false;
      }
    }


    // Check of de nieuwe wachtwoorden overeen komen
    if(form.newpass.value != form.newpassr.value) {
      alert("Error: Nieuwe wachtwoord komen niet overeen");
      //form.newpass = "";
     // form.newpassr = "";
      form.newpassr.focus();
      return false;
    }

    //Extra:
//    re = /[A-Z]/;
//    if(!re.test(form.pwd1.value)) {
//      alert("Error: wachtwoord moet minstens 1 hoofdletter hebben (A-Z)!");
//      form.pwd1.focus();
//      return false;
//    }
//  }

// Geen problemen, accepteer dan de verandering en stuur het door naar IspCP
return true;
}
</script>
</head>
<body bgcolor="#FFFFFF" text="#000000" link="#000000" vlink="#000000" alink="#000000">
<form action="" method="post" name="login_form" onSubmit="return checkForm(this);">
  <div id="container">
    <h1>Wachtwoord veranderen</h1>
    <fieldset class="login">
        <p class="login">
        <table cellpadding="0" cellspacing="0" style="color:#CCC">
          <tr>
            <td align ="left">&nbsp;<strong>Type:</strong></td>
            <td><select name="ptype" style="width:130px;"/>
                <option value="e-mail">E-Mail Wachtwoord</option>
                <option value="ftp">FTP Wachtwoord</option>
                <option value="sql">SQL Wachtwoord</option>
            </td>
          </tr>
          <tr>
            <td align="left">&nbsp;<strong>Gebruikersnaam:</strong></td>
            <td><input type="text" name="username"  style="width:130px;"/></td>
          </tr>
          <tr>
            <td align="left">&nbsp;<strong>Oude wachtwoord:</strong></td>
            <td><input type="password" name="oldpass"  style="width:130px;"/></td>
          </tr>
          <tr>
            <td align="left">&nbsp;<strong>Nieuwe wachtwoord:</strong></td>
            <td><input type="password" name="newpass"  style="width:130px;" maxlength="15"/></td>
          </tr>
          <tr>
            <td align="left">&nbsp;<strong>Herhaal wachtwoord:</strong></td>
            <td><input type="password" name="newpassr"  style="width:130px;" maxlength="15"/></td>
          </tr>
          <tr>
            <td align="left"></td>
            <td><input type="submit" name="changepass" value="Verander!" /></td>
          </tr>
        </table>
      </p>
    </fieldset>
  </div>
</form>

// Verder geen vertaling nodig qua mysql connectie etc. Scroll verder voor de error berichten.
<?php

// Ensure all the required values are passed in
if(isset($_POST['changepass'])=='Change'&&!empty($_POST['username'])&&!empty($_POST['oldpass'])&&!empty($_POST['newpass'])&&!empty($_POST['newpassr']))
{
  // assign the username, password and type  to variables
  if(isset($_POST['username']))$username=$_POST['username'];
  if(isset($_POST['oldpass']))$oldpass=($_POST['oldpass']);
  if(isset($_POST['newpass']))$newpass=($_POST['newpass']);
  if(isset($_POST['ptype']))$ptype=($_POST['ptype']);
  // populate the SQL parameters based on type of password being changed
  switch ($ptype)
  {
    case "e-mail":
      $sql_table = "mail_users";
      $sql_search_id = "mail_id";
      $sql_search_field = "mail_addr";
      $sql_search_pass = "mail_pass";
      break;
    case "ftp":
      $sql_table = "ftp_users";
      $sql_search_id = "userid";
      $sql_search_field = "userid";
      $sql_search_pass = "passwd";
      break;
    case "sql":
      $sql_table = "sql_user";
      $sql_search_id = "sqlu_id";
      $sql_search_field = "sqlu_name";
      $sql_search_pass = "sqlu_pass";
      break;
  }
  // Run the SQL command to find the user and password
  $sql_result = execute_query($sql,'SELECT ' . $sql_search_id . ', ' . $sql_search_pass.' FROM '. $sql_table.' WHERE '. $sql_search_field .'= "' .$username.'"');

  // store the result for later processing
  $user_db_id = $sql_result->fields[$sql_search_id];
  $user_db_pass = $sql_result->fields[$sql_search_pass];

  // Bekijk of de gebruikersnaam bestaat
  if ($sql_result->RecordCount() == 0)
  {
    echo ('<p align="center" style="color:#F00">Incorrecte gebruikersnaam of wachtwoord, probeer opnieuw. ');
    return false;
  }
  elseif ($sql_result->RecordCount() > 1)
  {
    echo ('<p align="center" style="color:#F00">Er is een error opgetreden, neem contact op met de systeembeheerder(s). ');
    return false;
  }
  // One entry found. Check if the old password match
  else
  {
    // check if the old passwords match
    // ftp passwords are stored a bit differently than e-mail and SQL
    if ($ptype == "ftp")
    {
      if (crypt($oldpass,$user_db_pass) == $user_db_pass)
        $pass_match = 1;
      else
        $pass_match = 0;
    }
    // Check e-mail and SQL users this way
    else
    {
      if (encrypt_db_password($oldpass) == $user_db_pass)
        $pass_match = 1;
      else
        $pass_match = 0;
    }

    if ($pass_match == 1)
    {

      //Encrypt the new passwords
      // ftp passwords are stored with crypt
      if ($ptype == "ftp")
      {
        $new_db_pass = crypt_user_pass_with_salt($newpass);
      }
      // otherwise md5 with e-mail and SQL
      else
      {
        $new_db_pass = encrypt_db_password($newpass);
      }
      // Perform the password update
      if ($ptype == "sql")
      {
        // Update ispCP SQL password
        $sql_result = execute_query($sql,'UPDATE ' . $sql_table . ' SET '. $sql_search_pass."='".$new_db_pass."'  WHERE ". $sql_search_id .'="'.$user_db_id.'" LIMIT 1');
        // update MYSQL login data
        $query =  execute_query($sql, 'SET PASSWORD FOR "' . $username. '"@"%" = PASSWORD("'.$newpass.'")');
        $query =  execute_query($sql, 'SET PASSWORD FOR "' . $username. '"@"localhost" = PASSWORD("'.$newpass.'")');
      }
      elseif ($ptype == "ftp")
        $sql_result = execute_query($sql,'UPDATE ' . $sql_table . ' SET '. $sql_search_pass."='".$new_db_pass."' WHERE ". $sql_search_id .'="'.$user_db_id.'" LIMIT 1');

      else
        $sql_result = execute_query($sql,'UPDATE ' . $sql_table . ' SET '. $sql_search_pass."='".$new_db_pass."', status='change' WHERE ". $sql_search_id .'="'.$user_db_id.'" LIMIT 1');

      //
      echo ('<p align="center" style="color:green">Wachtwoord veranderd!<br>Vergeet niet uw wachtwoord te noteren! ');
      // Write event to admin logfile
      write_log($username . " changed " . $ptype . " wachtwoord door het wachtwoord tool");
      // Trigger the ispCP manager to update
      send_request();
    }
  }
  echo '</p>';
}
?>
</body>
</html> 


[joximu]

Great work!
But please keep in mind that if there are no checks for hackers, one might try and error for hours to change a (foreign) password...

and: the "send_request" at the end is not neede for all pw changes: only mail IMHO (ftp is changed only in the db, and sql also - at last this is the actual state... maybe this will change in future).

/J

[Dolomike]

Thanks everyone,

I will make an update in the next few days which includes:

• Password change success message in Green
• Password change success/failure entry in the Admin log
• Proposed: Add translation capability
• Proposed: Limit password change attempts
  

Gleno0h,

Thanks for the translation. It probably should be designed to handle translations better. I will look into that for the next release.


joximu,

The hacking was definitely one concern I had. I'm still looking into the best way to limit changes. I will see how the ispCP login page performs this task and see if I can mimic it.

I left the send_request() in there for all password changes just in case anything changed with the core functionality, but it can easily be changed for e-mail password updates only.

Dolomike

[Gleno0h]

(11-19-2009 07:20 AM)Dolomike Wrote:  Thanks everyone,

I will make an update in the next few days which includes:

• Password change success message in Green
• Password change success/failure entry in the Admin log
• Proposed: Add translation capability
• Proposed: Limit password change attempts
  

Gleno0h,

Thanks for the translation. It probably should be designed to handle translations better. I will look into that for the next release.


joximu,

The hacking was definitely one concern I had. I'm still looking into the best way to limit changes. I will see how the ispCP login page performs this task and see if I can mimic it.

I left the send_request() in there for all password changes just in case anything changed with the core functionality, but it can easily be changed for e-mail password updates only.

Dolomike

No problem at all, maybe you could also add some CAPTCHA?

[Dolomike]

(11-19-2009 11:01 AM)Gleno0h Wrote:  No problem at all, maybe you could also add some CAPTCHA?

Good idea. I'll look into that as well.

Dolomike

[Dolomike]

Hi everyone,

I apologize for not getting this done sooner, but things have been a bit busy for me.

Anyway, after looking at some of the requests and how I was going to implement them, I decided to develop a more integrated tool. Although it's not yet completed, I wanted to get some input before I finished everything.

The screenshot below shows you what the GUI looks like. I started with the lostpassword.php file to determine how the PHP code works. The resulting password changer tool functions just like other parts of ispCP.

   

Some features:

• Tighly integrated with ispCP - uses templates, translations, and built-in ispCP functions
• Password changer tool can be enable or disabled through include/ispcp-lib.php
• Each account type (E-mail, FTP, SQL) can be enabled or disabled through include/ispcp-lib.php
• Uses ispCP captcha (same as lostpassword.php)
• Failed attempts will require a retry timer just like a failed login attempt
  

Most of the GUI is completed. There is a bit of backend work to be done but I don't expect that to take too long since most of it can be taken from my original one.

Let me know what you think and if you have any requests before I finalize the tool. I'll post a ZIP file once I get a functioning version. One of the things I would like to have is the ability to enable/disable the settings in the Admin/Setting page. If anyone wants to help me out with that one, I'll send you the config settings.

Dolomike