#!/usr/bin/perl require "/Admin/apache/config/d0world/cgi-bin/cgi-lib.pl" ; print &PrintHeader; print &HtmlTop("Password change page"); $FAILMESSAGE = "
Your login or password was incorrect. Please hit the back button and try again.
"; $ADMINPASSWORDFILE = "/Admin/wsrvd0/auth/passwd.admin"; $PASSWORDFILE = "/Admin/wsrvd0/auth/passwd"; # (FF) the following should be modified to point to the actual executables $CHECKPASSWORD = "/Admin/wsrvd0/auth/apache/htcheck"; $MODIFYPASSWORD = "/Admin/wsrvd0/auth/apache/htpasswd"; if (&ReadParse(*input)) { if ( $input{'adminpassform'} ) { &admin_passwd_form; } elsif ( $input{'adminchgpass'} ) { &admin_change_password; } else { &process_new_passwd; } } else { &display_form; } print &HtmlBot; ### End of script sub display_form { print ("Enter your current login id and password below and then your desired new passwd twice.
\n"); # print ("
\n"); # print ("If you are an admin you can change a user password
\n"); print ("If you are an admin you can change a user password
\n");
}
sub process_new_passwd {
if ((! $input{'passwd'}) || (! $input{'loginid'})) {
$BAILMESSAGE = "You must enter a login id and password";
&bail;
}
if ( "$input{'newpass1'}" ne "$input{'newpass2'}" ) {
$BAILMESSAGE = "The two new passwords did not match";
&bail;
}
if ( "$input{'newpass1'}" eq "$input{'passwd'}" ) {
$BAILMESSAGE = "The old passwd can not match the new password.";
&bail;
}
if ( length $input{'newpass1'} > 8 || length $input{'newpass1'} < 4 ) {
$BAILMESSAGE = "Passwd must be from 4 to 8 characters in size. Hit back and try again";
&bail;
}
unless (open (PASS, "< $PASSWORDFILE")) {
$BAILMESSAGE = "Can not open password file";
&bail;
}
close (PASS);
# Here we do not go to extremes to ensure proper security. After all, we are only dealing
# with the Web password file rather than the system file.
$match = system("$CHECKPASSWORD $PASSWORDFILE $input{'loginid'} $input{'passwd'}");
if ($match == 0) {
# The $input{'loginid'} parameter which the user entered could be
# an attempt to hack the machine. It is used below so that the
# shell doesn't do interpretation on it. The whole entered string
# is passed as a single param to ypmatch and the "Programming Perl"
# book says this should be secure. In my tests it appears to be.
# Using (system "/bin/ypmatch $input{'loginid'} passwd") is
# REALLY REALLY bad.
open YPPASS, "-|" or exec "/bin/ypmatch", $input{'loginid'}, "passwd" ;
$line = ");
print &HtmlBot;
exit;
}
sub admin_passwd_form {
print (" This page is used by a web administrator to change a users password. \n");
# print (" \n");
}
sub admin_change_password {
if ( "$input{'usernewpass1'}" ne "$input{'usernewpass2'}" ) {
$BAILMESSAGE = "The two new passwords did not match";
&bail;
}
unless (open (ADMINPASS, "+< $ADMINPASSWORDFILE")) {
$BAILMESSAGE = "Can not open admin password file";
&bail;
}
while (
\n");
} else {
print ("Error updating password file
\n");
}
} else {
print ("
\n");
}
} else {
print $FAILMESSAGE ;
}
}
sub bail {
print ("
\n");
} else {
print ("Error updating password file
\n");
}
} else {
print ("User id not valid
\n");
}
} else {
print $FAILMESSAGE;
}
} else {
print $FAILMESSAGE;
}
}