Current time: 12-22-2024, 09:12 PM Hello There, Guest! (LoginRegister)


Thread Closed 
E-mail, FTP, and SQL Password Changer - Updated
Author Message
Dolomike Offline
Newbie
*

Posts: 7
Joined: Sep 2009
Reputation: 1
Post: #1
E-mail, FTP, and SQL Password Changer - Updated
This version is no longer maintained

Please see this thread for a newer (and better) version.



Hi,

I've expanded an existing e-mail password changer located here to include the ability to change FTP and SQL passwords as well. It also does some simple password validity checking.

You can find the code for password changer here: http://www.isp-control.net/documentation...rd_changer

I installed mine under tools/passwordchanger/index.php.

Feel free to update or fix any errors.

Dolomike
(This post was last modified: 02-28-2010 05:59 PM by Dolomike.)
10-17-2009 04:38 PM
Find all posts by this user
Gleno0h Offline
Junior Member
*

Posts: 19
Joined: Nov 2009
Reputation: 0
Post: #2
RE: E-mail, FTP, and SQL Password Changer
Thanks, works great.

I suggest you make the "Password changed" text green though.

Thanks for this!
11-17-2009 06:20 PM
Find all posts by this user
gOOvER Offline
Banned

Posts: 3,561
Joined: Jul 2007
Post: #3
RE: E-mail, FTP, and SQL Password Changer
Great Work. Thanks for your contribution Smile
11-17-2009 06:24 PM
Visit this user's website Find all posts by this user
Gleno0h Offline
Junior Member
*

Posts: 19
Joined: Nov 2009
Reputation: 0
Post: #4
RE: E-mail, FTP, and SQL Password Changer
I've also translated this into dutch, i hope/asume you dont mind.
+ it has green succes message Tongue
(some things like mysql functions arnt translated, not needed i think ...
PHP Code:
<?php
/*
*  ispcp Password Changer
*  author: dolomike
*  translation: Gleno0h
*  language: Dutch
*  Version: 0.1
*
*  Feel free to modify and distribute
*
*  Based on http://www.isp-control.net/documentation/doku.php?id=howto:mail:change_webmailpass
*  Modified to allow password changes to e-mail, ftp, and SQL users
*  Does not require adodb but uses built in ispCP functions
*  Added javascript to check password entry requirements before submit
*/
require '../../include/ispcp-lib.php';

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>IspCP Wachtwoord Veranderen</title>
<meta name="robots" content="noindex,nofollow">
<link rel="stylesheet" type="text/css" href="/webmail/themes/css/omega.css">
<style type="text/css">
<!--
body, td, input, select, textarea {
    font-family:Tahoma, Geneva, sans-serif;
    font-size:9px;
}
input, textarea, select {
    border:#7f9db9 1px solid;
    padding:0px;
}
-->
</style>
<script type="text/javascript">
  function checkForm(form)
  {
    // Check of de gebruikersnaam leeg is
    if(form.username.value == "") {
      alert("Error: Gebruikersnaam is leeg");
      form.username.focus();
      return false;
    }

    // Check of er ongeldige tekens in de gebruikersnaam gebruikt worden
    //if (form.ptype.value != "sql")
    //{
    //  re = /^\w+$/;
    //  if(!re.test(form.username.value)) {
    //    alert("Error: Gebruikersnaam mag alleen letters, cijfers en sommige tekens bevatten.");
    //    form.username.focus();
    //    return false;
    //  }
    //}

    // Check of het oude wachtwoord veld leeg is
    if(form.oldpass.value == "") {
      alert("Error: Oude wachtwoord niet ingevult.");
      form.oldpass.focus();
      return false;
    }

    // Check of het nieuwe wachtwoord veld leeg is
    if(form.newpass.value == "") {
      alert("Error: Nieuw wachtwoord niet ingevult.");
      form.newpass.focus();
      return false;
    }

    // Check of het nieuwe herhaalde wachtwoord veld leeg is
    if(form.newpassr.value == "") {
      alert("Error: Please repeat the new password!");
      form.newpassr.focus();
      return false;
    }

    // Er zeker van zijn dat het wachtwoord minstens 1 cijfer heeft
    re = /[0-9]/;
    if(!re.test(form.newpass.value)) {
       alert("Error: het wachtwoord moet minstens 1 cijfer hebben (0-9)!");
       form.newpass.focus();
       return false;
     }

    // Er zeker van zijn dat het wachtwoord minsten 1 kleine letter heeft
    re = /[a-z]/;
    if(!re.test(form.newpass.value)) {
      alert("Error: het wachtwoord moet minimaal 1 kleine letter hebben (a-z)!");
      form.newpass.focus();
      return false;
    }

    // Check of de wachtwoord lengte klopt
    if (form.ptype.value == "sql")
    {
      if((form.newpass.value.length < 1) || (form.newpass.value.length > 32)) {
      alert("Error: Wachtwoord moet tussen 1 en 32 tekens hebben");
      form.newpass.focus();
      return false;
      }
    }
    else
    {
      if((form.newpass.value.length < 6) || (form.newpass.value.length > 15)) {
        alert("Error: Wachtwoord moet tussen 6 en 15 tekens hebben");
        form.newpass.focus();
        return false;
      }
    }


    // Check of de nieuwe wachtwoorden overeen komen
    if(form.newpass.value != form.newpassr.value) {
      alert("Error: Nieuwe wachtwoord komen niet overeen");
      //form.newpass = "";
     // form.newpassr = "";
      form.newpassr.focus();
      return false;
    }

    //Extra:
//    re = /[A-Z]/;
//    if(!re.test(form.pwd1.value)) {
//      alert("Error: wachtwoord moet minstens 1 hoofdletter hebben (A-Z)!");
//      form.pwd1.focus();
//      return false;
//    }
//  }

// Geen problemen, accepteer dan de verandering en stuur het door naar IspCP
return true;
}
</script>
</head>
<body bgcolor="#FFFFFF" text="#000000" link="#000000" vlink="#000000" alink="#000000">
<form action="" method="post" name="login_form" onSubmit="return checkForm(this);">
  <div id="container">
    <h1>Wachtwoord veranderen</h1>
    <fieldset class="login">
        <p class="login">
        <table cellpadding="0" cellspacing="0" style="color:#CCC">
          <tr>
            <td align ="left">&nbsp;<strong>Type:</strong></td>
            <td><select name="ptype" style="width:130px;"/>
                <option value="e-mail">E-Mail Wachtwoord</option>
                <option value="ftp">FTP Wachtwoord</option>
                <option value="sql">SQL Wachtwoord</option>
            </td>
          </tr>
          <tr>
            <td align="left">&nbsp;<strong>Gebruikersnaam:</strong></td>
            <td><input type="text" name="username"  style="width:130px;"/></td>
          </tr>
          <tr>
            <td align="left">&nbsp;<strong>Oude wachtwoord:</strong></td>
            <td><input type="password" name="oldpass"  style="width:130px;"/></td>
          </tr>
          <tr>
            <td align="left">&nbsp;<strong>Nieuwe wachtwoord:</strong></td>
            <td><input type="password" name="newpass"  style="width:130px;" maxlength="15"/></td>
          </tr>
          <tr>
            <td align="left">&nbsp;<strong>Herhaal wachtwoord:</strong></td>
            <td><input type="password" name="newpassr"  style="width:130px;" maxlength="15"/></td>
          </tr>
          <tr>
            <td align="left"></td>
            <td><input type="submit" name="changepass" value="Verander!" /></td>
          </tr>
        </table>
      </p>
    </fieldset>
  </div>
</form>

// Verder geen vertaling nodig qua mysql connectie etc. Scroll verder voor de error berichten.
<?php

// Ensure all the required values are passed in
if(isset($_POST['changepass'])=='Change'&&!empty($_POST['username'])&&!empty($_POST['oldpass'])&&!empty($_POST['newpass'])&&!empty($_POST['newpassr']))
{
  
// assign the username, password and type  to variables
  
if(isset($_POST['username']))$username=$_POST['username'];
  if(isset(
$_POST['oldpass']))$oldpass=($_POST['oldpass']);
  if(isset(
$_POST['newpass']))$newpass=($_POST['newpass']);
  if(isset(
$_POST['ptype']))$ptype=($_POST['ptype']);
  
// populate the SQL parameters based on type of password being changed
  
switch ($ptype)
  {
    case 
"e-mail":
      
$sql_table "mail_users";
      
$sql_search_id "mail_id";
      
$sql_search_field "mail_addr";
      
$sql_search_pass "mail_pass";
      break;
    case 
"ftp":
      
$sql_table "ftp_users";
      
$sql_search_id "userid";
      
$sql_search_field "userid";
      
$sql_search_pass "passwd";
      break;
    case 
"sql":
      
$sql_table "sql_user";
      
$sql_search_id "sqlu_id";
      
$sql_search_field "sqlu_name";
      
$sql_search_pass "sqlu_pass";
      break;
  }
  
// Run the SQL command to find the user and password
  
$sql_result execute_query($sql,'SELECT ' $sql_search_id ', ' $sql_search_pass.' FROM '$sql_table.' WHERE '$sql_search_field .'= "' .$username.'"');

  
// store the result for later processing
  
$user_db_id $sql_result->fields[$sql_search_id];
  
$user_db_pass $sql_result->fields[$sql_search_pass];

  
// Bekijk of de gebruikersnaam bestaat
  
if ($sql_result->RecordCount() == 0)
  {
    echo (
'<p align="center" style="color:#F00">Incorrecte gebruikersnaam of wachtwoord, probeer opnieuw. ');
    return 
false;
  }
  elseif (
$sql_result->RecordCount() > 1)
  {
    echo (
'<p align="center" style="color:#F00">Er is een error opgetreden, neem contact op met de systeembeheerder(s). ');
    return 
false;
  }
  
// One entry found. Check if the old password match
  
else
  {
    
// check if the old passwords match
    // ftp passwords are stored a bit differently than e-mail and SQL
    
if ($ptype == "ftp")
    {
      if (
crypt($oldpass,$user_db_pass) == $user_db_pass)
        
$pass_match 1;
      else
        
$pass_match 0;
    }
    
// Check e-mail and SQL users this way
    
else
    {
      if (
encrypt_db_password($oldpass) == $user_db_pass)
        
$pass_match 1;
      else
        
$pass_match 0;
    }

    if (
$pass_match == 1)
    {

      
//Encrypt the new passwords
      // ftp passwords are stored with crypt
      
if ($ptype == "ftp")
      {
        
$new_db_pass crypt_user_pass_with_salt($newpass);
      }
      
// otherwise md5 with e-mail and SQL
      
else
      {
        
$new_db_pass encrypt_db_password($newpass);
      }
      
// Perform the password update
      
if ($ptype == "sql")
      {
        
// Update ispCP SQL password
        
$sql_result execute_query($sql,'UPDATE ' $sql_table ' SET '$sql_search_pass."='".$new_db_pass."'  WHERE "$sql_search_id .'="'.$user_db_id.'" LIMIT 1');
        
// update MYSQL login data
        
$query =  execute_query($sql'SET PASSWORD FOR "' $username'"@"%" = PASSWORD("'.$newpass.'")');
        
$query =  execute_query($sql'SET PASSWORD FOR "' $username'"@"localhost" = PASSWORD("'.$newpass.'")');
      }
      elseif (
$ptype == "ftp")
        
$sql_result execute_query($sql,'UPDATE ' $sql_table ' SET '$sql_search_pass."='".$new_db_pass."' WHERE "$sql_search_id .'="'.$user_db_id.'" LIMIT 1');

      else
        
$sql_result execute_query($sql,'UPDATE ' $sql_table ' SET '$sql_search_pass."='".$new_db_pass."', status='change' WHERE "$sql_search_id .'="'.$user_db_id.'" LIMIT 1');

      
//
      
echo ('<p align="center" style="color:green">Wachtwoord veranderd!<br>Vergeet niet uw wachtwoord te noteren! ');
      
// Write event to admin logfile
      
write_log($username " changed " $ptype " wachtwoord door het wachtwoord tool");
      
// Trigger the ispCP manager to update
      
send_request();
    }
  }
  echo 
'</p>';
}
?>
</body>
</html> 
11-17-2009 08:50 PM
Find all posts by this user
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #5
RE: E-mail, FTP, and SQL Password Changer
Great work!
But please keep in mind that if there are no checks for hackers, one might try and error for hours to change a (foreign) password...

and: the "send_request" at the end is not neede for all pw changes: only mail IMHO (ftp is changed only in the db, and sql also - at last this is the actual state... maybe this will change in future).

/J
11-17-2009 09:40 PM
Visit this user's website Find all posts by this user
Dolomike Offline
Newbie
*

Posts: 7
Joined: Sep 2009
Reputation: 1
Post: #6
RE: E-mail, FTP, and SQL Password Changer
Thanks everyone,

I will make an update in the next few days which includes:
  • Password change success message in Green
  • Password change success/failure entry in the Admin log
  • Proposed: Add translation capability
  • Proposed: Limit password change attempts

Gleno0h,

Thanks for the translation. It probably should be designed to handle translations better. I will look into that for the next release.


joximu,

The hacking was definitely one concern I had. I'm still looking into the best way to limit changes. I will see how the ispCP login page performs this task and see if I can mimic it.

I left the send_request() in there for all password changes just in case anything changed with the core functionality, but it can easily be changed for e-mail password updates only.

Dolomike
11-19-2009 07:20 AM
Find all posts by this user
Gleno0h Offline
Junior Member
*

Posts: 19
Joined: Nov 2009
Reputation: 0
Post: #7
RE: E-mail, FTP, and SQL Password Changer
(11-19-2009 07:20 AM)Dolomike Wrote:  Thanks everyone,

I will make an update in the next few days which includes:
  • Password change success message in Green
  • Password change success/failure entry in the Admin log
  • Proposed: Add translation capability
  • Proposed: Limit password change attempts

Gleno0h,

Thanks for the translation. It probably should be designed to handle translations better. I will look into that for the next release.


joximu,

The hacking was definitely one concern I had. I'm still looking into the best way to limit changes. I will see how the ispCP login page performs this task and see if I can mimic it.

I left the send_request() in there for all password changes just in case anything changed with the core functionality, but it can easily be changed for e-mail password updates only.

Dolomike

No problem at all, maybe you could also add some CAPTCHA?
11-19-2009 11:01 AM
Find all posts by this user
Dolomike Offline
Newbie
*

Posts: 7
Joined: Sep 2009
Reputation: 1
Post: #8
RE: E-mail, FTP, and SQL Password Changer
(11-19-2009 11:01 AM)Gleno0h Wrote:  No problem at all, maybe you could also add some CAPTCHA?

Good idea. I'll look into that as well.

Dolomike
11-19-2009 12:10 PM
Find all posts by this user
Dolomike Offline
Newbie
*

Posts: 7
Joined: Sep 2009
Reputation: 1
Post: #9
RE: E-mail, FTP, and SQL Password Changer - Updated!
Hi everyone,

I apologize for not getting this done sooner, but things have been a bit busy for me.

Anyway, after looking at some of the requests and how I was going to implement them, I decided to develop a more integrated tool. Although it's not yet completed, I wanted to get some input before I finished everything.

The screenshot below shows you what the GUI looks like. I started with the lostpassword.php file to determine how the PHP code works. The resulting password changer tool functions just like other parts of ispCP.

   

Some features:
  • Tighly integrated with ispCP - uses templates, translations, and built-in ispCP functions
  • Password changer tool can be enable or disabled through include/ispcp-lib.php
  • Each account type (E-mail, FTP, SQL) can be enabled or disabled through include/ispcp-lib.php
  • Uses ispCP captcha (same as lostpassword.php)
  • Failed attempts will require a retry timer just like a failed login attempt

Most of the GUI is completed. There is a bit of backend work to be done but I don't expect that to take too long since most of it can be taken from my original one.

Let me know what you think and if you have any requests before I finalize the tool. I'll post a ZIP file once I get a functioning version. One of the things I would like to have is the ability to enable/disable the settings in the Admin/Setting page. If anyone wants to help me out with that one, I'll send you the config settings.

Dolomike
(This post was last modified: 02-26-2010 10:27 AM by Dolomike.)
02-26-2010 08:21 AM
Find all posts by this user
Thread Closed 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)