/**
* Does the actual password changing (meaning it calls the hook function
* from the backend that does this. If something goes wrong, return error
* message(s). If everything ok, change the password in the session so the
* user doesn't have to log out, and redirect back to the options screen.
*/
function cpw_do_change()
{
global $cpw_backend;
sqgetGlobalVar('cpw_curpass', $curpw, SQ_POST);
sqgetGlobalVar('cpw_newpass', $newpw, SQ_POST);
sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION);
sqgetGlobalVar('onetimepad', $onetimepad, SQ_SESSION);
sqgetGlobalVar('key', $key, SQ_COOKIE);
sqgetGlobalVar('username', $username, SQ_SESSION);
require_once SM_PATH . 'plugins/change_password/backend/' . $cpw_backend . '.php';
$msgs = do_hook('change_password_dochange', $temp = array('username' => &$username, 'curpw' => &$curpw, 'newpw' => &$newpw));
/* something bad happened, return */
if (count($msgs) > 0) {
return $msgs;
}
/* update our password stored in the session */
$onetimepad = OneTimePadCreate(strlen($newpw));
sqsession_register($onetimepad, 'onetimepad');
$key = OneTimePadEncrypt($newpw, $onetimepad);
sqsetcookie('key', $key, 0, $base_uri);
/* make sure we write the session data before we redirect */
session_write_close();
header('Location: ' . SM_PATH . 'src/options.php?optmode=submit&optpage=change_password&plugin_change_password=1&smtoken=' . sm_generate_security_token());
exit;
}
function sqauth_save_password($pass)
{
sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION);
$onetimepad = OneTimePadCreate(strlen($pass));
sqsession_register($onetimepad, 'onetimepad');
$key = OneTimePadEncrypt($pass, $onetimepad);
sqsetcookie('key', $key, false, $base_uri);
return $key;
}
// FIXME DO Check the password policy :
/*
if (is_callable(array($admin,"checkPolicy")) &&
!$admin->checkPolicy("pop",$username,$_POST['acp_newpass'])) {
$errstr=_("This password is not strong enough for your policy, set a stronger password or call your administrator");
} else {
*/
// ok, let's change the password
$acp_newpass = $_POST['acp_newpass'];
$newp = _md5cr($acp_newpass);
mysql_query("UPDATE address SET password='******' WHERE id=" . $c["id"] . " ;");
$errstr = _("Your password has been successfully changed. Don't forget to change it in your mail software if you are using one (Outlook, Mozilla, Thunderbird, Eudora ...)");
// Write new cookies for the password
$onetimepad = OneTimePadCreate(strlen($acp_newpass));
sqsession_register($onetimepad, 'onetimepad');
$key = OneTimePadEncrypt($acp_newpass, $onetimepad);
setcookie("key", $key, 0, $base_uri);
// }
}
}
}
}
// POSTED data ?
textdomain("squirrelmail");
displayPageHeader($color, 'None');
textdomain("alternc");
if ($errstr) {
echo "<p><b>" . $errstr . "</b></p>";
}
?>
* NB: session_regenerate_id() was added in PHP 4.3.2 (and new session
* cookie is only sent out in this call as of PHP 4.3.3), but PHP 4
* is not vulnerable to session fixation problems in SquirrelMail
* because it prioritizes $base_uri subdirectory cookies differently
* than PHP 5, which is otherwise vulnerable. If we really want to,
* we could define our own session_regenerate_id() when one does not
* exist, but there seems to be no reason to do so.
*/
if (function_exists('session_regenerate_id')) {
session_regenerate_id();
// re-send session cookie so we get the right parameters on it
// (such as HTTPOnly, if necessary - PHP doesn't do this itself
sqsetcookie(session_name(), session_id(), false, $base_uri);
}
$onetimepad = OneTimePadCreate(strlen($secretkey));
$key = OneTimePadEncrypt($secretkey, $onetimepad);
sqsession_register($onetimepad, 'onetimepad');
/* remove redundant spaces */
$login_username = trim($login_username);
/* Verify that username and password are correct. */
if ($force_username_lowercase) {
$login_username = strtolower($login_username);
}
$imapConnection = sqimap_login($login_username, $key, $imapServerAddress, $imapPort, 0);
$sqimap_capabilities = sqimap_capability($imapConnection);
sqsession_register($sqimap_capabilities, 'sqimap_capabilities');
$delimiter = sqimap_get_delimiter($imapConnection);
sqimap_logout($imapConnection);
sqsession_register($delimiter, 'delimiter');
$username = $login_username;
sqsession_register($username, 'username');
}
$vm_passwd = $settings[1];
}
// Couldn't find what's needed
if (!$domain_name || !$vm_passwd) {
sayError("Could not derive your domain name and password, possibly due to misconfiguration. Alert your admin!");
}
/** Including the vmailmgr's PHP includes file. Read INSTALL. **/
include "vchpass/vmail.inc";
$result = vchpass($domain_name, $vm_passwd, $vmailmgr_username, $newpass);
/** Returns 0 if successful **/
if ($result[0]) {
sayError("Could not change password. The error returned by vmailmgr is: {$result['1']}.");
}
/** Now updating the cookie so we can keep interfacing with IMAP server
** without having to re-login
**/
ereg("(^.*/)[^/]+/[^/]+/[^/]+\$", $PHP_SELF, $regs);
//get out of plugins dir
$base_uri = $regs[1];
setcookie("key", OneTimePadEncrypt($newpass, $onetimepad), 0, $base_uri);
doMyHeader();
echo "<p align='center'>" . _("Password changed successfully") . "</p>";
}
/** That's all, folks. Now, if you STILL haven't read SECURITY, do so
** NOW. REALLY!
**/
?>
</body>
</html>
/**
* function prepareRFC822_Header - prepares the RFC822 header string from Rfc822Header object(s)
*
* This function takes the Rfc822Header object(s) and formats them
* into the RFC822Header string to send to the SMTP server as part
* of the SMTP message.
*
* @param Rfc822Header $rfc822_header
* @param Rfc822Header $reply_rfc822_header
* @param integer &$raw_length length of the message
*
* @return string $header
*/
function prepareRFC822_Header(&$rfc822_header, $reply_rfc822_header, &$raw_length)
{
global $domain, $version, $username, $encode_header_key, $edit_identity, $hide_auth_header;
if (!isset($hide_auth_header)) {
$hide_auth_header = false;
}
/* if server var SERVER_NAME not available, use $domain */
if (!sqGetGlobalVar('SERVER_NAME', $SERVER_NAME, SQ_SERVER)) {
$SERVER_NAME = $domain;
}
sqGetGlobalVar('REMOTE_ADDR', $REMOTE_ADDR, SQ_SERVER);
sqGetGlobalVar('REMOTE_PORT', $REMOTE_PORT, SQ_SERVER);
sqGetGlobalVar('REMOTE_HOST', $REMOTE_HOST, SQ_SERVER);
sqGetGlobalVar('HTTP_VIA', $HTTP_VIA, SQ_SERVER);
sqGetGlobalVar('HTTP_X_FORWARDED_FOR', $HTTP_X_FORWARDED_FOR, SQ_SERVER);
$rn = "\r\n";
/* This creates an RFC 822 date */
$date = date('D, j M Y H:i:s ', time()) . $this->timezone();
/* Create a message-id */
$message_id = 'MESSAGE ID GENERATION ERROR! PLEASE CONTACT SQUIRRELMAIL DEVELOPERS';
if (empty($rfc822_header->message_id)) {
$message_id = '<';
/* user-specifc data to decrease collision chance */
$seed_data = $username . '.';
$seed_data .= !empty($REMOTE_PORT) ? $REMOTE_PORT . '.' : '';
$seed_data .= !empty($REMOTE_ADDR) ? $REMOTE_ADDR . '.' : '';
/* add the current time in milliseconds and randomness */
$seed_data .= uniqid(mt_rand(), true);
/* put it through one-way hash and add it to the ID */
$message_id .= md5($seed_data) . '.squirrel@' . $SERVER_NAME . '>';
}
/* Make an RFC822 Received: line */
if (isset($REMOTE_HOST)) {
$received_from = "{$REMOTE_HOST} ([{$REMOTE_ADDR}])";
} else {
$received_from = $REMOTE_ADDR;
}
if (isset($HTTP_VIA) || isset($HTTP_X_FORWARDED_FOR)) {
if (!isset($HTTP_X_FORWARDED_FOR) || $HTTP_X_FORWARDED_FOR == '') {
$HTTP_X_FORWARDED_FOR = 'unknown';
}
$received_from .= " (proxying for {$HTTP_X_FORWARDED_FOR})";
}
$header = array();
/**
* SquirrelMail header
*
* This Received: header provides information that allows to track
* user and machine that was used to send email. Don't remove it
* unless you understand all possible forging issues or your
* webmail installation does not prevent changes in user's email address.
* See SquirrelMail bug tracker #847107 for more details about it.
*/
// FIXME: The following headers may generate slightly differently between the message sent to the destination and that stored in the Sent folder because this code will be called before both actions. This is not necessarily a big problem, but other headers such as Message-ID and Date are preserved between both actions
if (isset($encode_header_key) && trim($encode_header_key) != '') {
// use encoded headers, if encryption key is set and not empty
$header[] = 'X-Squirrel-UserHash: ' . OneTimePadEncrypt($username, base64_encode($encode_header_key)) . $rn;
$header[] = 'X-Squirrel-FromHash: ' . OneTimePadEncrypt($this->ip2hex($REMOTE_ADDR), base64_encode($encode_header_key)) . $rn;
if (isset($HTTP_X_FORWARDED_FOR)) {
$header[] = 'X-Squirrel-ProxyHash:' . OneTimePadEncrypt($this->ip2hex($HTTP_X_FORWARDED_FOR), base64_encode($encode_header_key)) . $rn;
}
} else {
// use default received headers
$header[] = "Received: from {$received_from}" . $rn;
if ($edit_identity || !isset($hide_auth_header) || !$hide_auth_header) {
$header[] = " (SquirrelMail authenticated user {$username})" . $rn;
}
$header[] = " by {$SERVER_NAME} with HTTP;" . $rn;
$header[] = " {$date}" . $rn;
}
/* Insert the rest of the header fields */
if (!empty($rfc822_header->message_id)) {
$header[] = 'Message-ID: ' . $rfc822_header->message_id . $rn;
} else {
$header[] = 'Message-ID: ' . $message_id . $rn;
$rfc822_header->message_id = $message_id;
}
if (is_object($reply_rfc822_header) && isset($reply_rfc822_header->message_id) && $reply_rfc822_header->message_id) {
//if ($reply_rfc822_header->message_id) {
$rep_message_id = $reply_rfc822_header->message_id;
$header[] = 'In-Reply-To: ' . $rep_message_id . $rn;
$rfc822_header->in_reply_to = $rep_message_id;
$references = $this->calculate_references($reply_rfc822_header);
$header[] = 'References: ' . $references . $rn;
$rfc822_header->references = $references;
}
if (!empty($rfc822_header->date) && $rfc822_header->date != -1) {
$header[] = 'Date: ' . $rfc822_header->date . $rn;
} else {
$header[] = "Date: {$date}" . $rn;
$rfc822_header->date = $date;
}
$header[] = 'Subject: ' . encodeHeader($rfc822_header->subject) . $rn;
// folding address list [From|To|Cc|Bcc] happens by using ",$rn<space>"
// as delimiter
// Do not use foldLine for that.
$header[] = 'From: ' . $rfc822_header->getAddr_s('from', ",{$rn} ", true) . $rn;
// RFC2822 if from contains more then 1 address
if (count($rfc822_header->from) > 1) {
$header[] = 'Sender: ' . $rfc822_header->getAddr_s('sender', ',', true) . $rn;
}
if (count($rfc822_header->to)) {
$header[] = 'To: ' . $rfc822_header->getAddr_s('to', ",{$rn} ", true) . $rn;
}
if (count($rfc822_header->cc)) {
$header[] = 'Cc: ' . $rfc822_header->getAddr_s('cc', ",{$rn} ", true) . $rn;
}
if (count($rfc822_header->reply_to)) {
$header[] = 'Reply-To: ' . $rfc822_header->getAddr_s('reply_to', ',', true) . $rn;
}
/* Sendmail should return true. Default = false */
$bcc = $this->getBcc();
if (count($rfc822_header->bcc)) {
$s = 'Bcc: ' . $rfc822_header->getAddr_s('bcc', ",{$rn} ", true) . $rn;
if (!$bcc) {
$raw_length += strlen($s);
} else {
$header[] = $s;
}
}
/* Identify SquirrelMail */
$header[] = 'User-Agent: SquirrelMail/' . $version . $rn;
/* Do the MIME-stuff */
$header[] = 'MIME-Version: 1.0' . $rn;
$contenttype = 'Content-Type: ' . $rfc822_header->content_type->type0 . '/' . $rfc822_header->content_type->type1;
if (count($rfc822_header->content_type->properties)) {
foreach ($rfc822_header->content_type->properties as $k => $v) {
if ($k && $v) {
$contenttype .= ';' . $k . '=' . $v;
}
}
}
$header[] = $contenttype . $rn;
if ($encoding = $rfc822_header->encoding) {
$header[] = 'Content-Transfer-Encoding: ' . $encoding . $rn;
}
if ($rfc822_header->dnt) {
$dnt = $rfc822_header->getAddr_s('dnt');
/* Pegasus Mail */
$header[] = 'X-Confirm-Reading-To: ' . $dnt . $rn;
/* RFC 2298 */
$header[] = 'Disposition-Notification-To: ' . $dnt . $rn;
}
if ($rfc822_header->priority) {
switch ($rfc822_header->priority) {
case 1:
$header[] = 'X-Priority: 1 (Highest)' . $rn;
$header[] = 'Importance: High' . $rn;
break;
case 3:
$header[] = 'X-Priority: 3 (Normal)' . $rn;
$header[] = 'Importance: Normal' . $rn;
break;
case 5:
$header[] = 'X-Priority: 5 (Lowest)' . $rn;
$header[] = 'Importance: Low' . $rn;
break;
default:
break;
}
}
/* Insert headers from the $more_headers array */
if (count($rfc822_header->more_headers)) {
reset($rfc822_header->more_headers);
foreach ($rfc822_header->more_headers as $k => $v) {
$header[] = $k . ': ' . $v . $rn;
}
}
$cnt = count($header);
$hdr_s = '';
for ($i = 0; $i < $cnt; $i++) {
$sKey = substr($header[$i], 0, strpos($header[$i], ':'));
switch ($sKey) {
case 'Message-ID':
case 'In-Reply_To':
$hdr_s .= $header[$i];
break;
case 'References':
$sRefs = substr($header[$i], 12);
$aRefs = explode(' ', $sRefs);
$sLine = 'References:';
foreach ($aRefs as $sReference) {
if (trim($sReference) == '') {
/* Don't add spaces. */
} elseif (strlen($sLine) + strlen($sReference) > 76) {
$hdr_s .= $sLine;
$sLine = $rn . ' ' . $sReference;
} else {
$sLine .= ' ' . $sReference;
}
}
$hdr_s .= $sLine;
break;
case 'To':
case 'Cc':
case 'Bcc':
case 'From':
$hdr_s .= $header[$i];
break;
default:
$hdr_s .= $this->foldLine($header[$i], 78);
break;
}
}
$header = $hdr_s;
$header .= $rn;
/* One blank line to separate header and body */
$raw_length += strlen($header);
return $header;
}
