/**
* Does the actual password changing (meaning it calls the hook function
* from the backend that does this. If something goes wrong, return error
* message(s). If everything ok, change the password in the session so the
* user doesn't have to log out, and redirect back to the options screen.
*/
function cpw_do_change()
{
global $cpw_backend;
sqgetGlobalVar('cpw_curpass', $curpw, SQ_POST);
sqgetGlobalVar('cpw_newpass', $newpw, SQ_POST);
sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION);
sqgetGlobalVar('onetimepad', $onetimepad, SQ_SESSION);
sqgetGlobalVar('key', $key, SQ_COOKIE);
sqgetGlobalVar('username', $username, SQ_SESSION);
require_once SM_PATH . 'plugins/change_password/backend/' . $cpw_backend . '.php';
$msgs = do_hook('change_password_dochange', $temp = array('username' => &$username, 'curpw' => &$curpw, 'newpw' => &$newpw));
/* something bad happened, return */
if (count($msgs) > 0) {
return $msgs;
}
/* update our password stored in the session */
$onetimepad = OneTimePadCreate(strlen($newpw));
sqsession_register($onetimepad, 'onetimepad');
$key = OneTimePadEncrypt($newpw, $onetimepad);
sqsetcookie('key', $key, 0, $base_uri);
/* make sure we write the session data before we redirect */
session_write_close();
header('Location: ' . SM_PATH . 'src/options.php?optmode=submit&optpage=change_password&plugin_change_password=1&smtoken=' . sm_generate_security_token());
exit;
}
function sqauth_save_password($pass)
{
sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION);
$onetimepad = OneTimePadCreate(strlen($pass));
sqsession_register($onetimepad, 'onetimepad');
$key = OneTimePadEncrypt($pass, $onetimepad);
sqsetcookie('key', $key, false, $base_uri);
return $key;
}
$errstr = _("Your current password is incorrect, please try again.");
} else {
// FIXME DO Check the password policy :
/*
if (is_callable(array($admin,"checkPolicy")) &&
!$admin->checkPolicy("pop",$username,$_POST['acp_newpass'])) {
$errstr=_("This password is not strong enough for your policy, set a stronger password or call your administrator");
} else {
*/
// ok, let's change the password
$acp_newpass = $_POST['acp_newpass'];
$newp = _md5cr($acp_newpass);
mysql_query("UPDATE address SET password='******' WHERE id=" . $c["id"] . " ;");
$errstr = _("Your password has been successfully changed. Don't forget to change it in your mail software if you are using one (Outlook, Mozilla, Thunderbird, Eudora ...)");
// Write new cookies for the password
$onetimepad = OneTimePadCreate(strlen($acp_newpass));
sqsession_register($onetimepad, 'onetimepad');
$key = OneTimePadEncrypt($acp_newpass, $onetimepad);
setcookie("key", $key, 0, $base_uri);
// }
}
}
}
}
// POSTED data ?
textdomain("squirrelmail");
displayPageHeader($color, 'None');
textdomain("alternc");
if ($errstr) {
echo "<p><b>" . $errstr . "</b></p>";
}
* countermeasure against session fixation attacks.
* NB: session_regenerate_id() was added in PHP 4.3.2 (and new session
* cookie is only sent out in this call as of PHP 4.3.3), but PHP 4
* is not vulnerable to session fixation problems in SquirrelMail
* because it prioritizes $base_uri subdirectory cookies differently
* than PHP 5, which is otherwise vulnerable. If we really want to,
* we could define our own session_regenerate_id() when one does not
* exist, but there seems to be no reason to do so.
*/
if (function_exists('session_regenerate_id')) {
session_regenerate_id();
// re-send session cookie so we get the right parameters on it
// (such as HTTPOnly, if necessary - PHP doesn't do this itself
sqsetcookie(session_name(), session_id(), false, $base_uri);
}
$onetimepad = OneTimePadCreate(strlen($secretkey));
$key = OneTimePadEncrypt($secretkey, $onetimepad);
sqsession_register($onetimepad, 'onetimepad');
/* remove redundant spaces */
$login_username = trim($login_username);
/* Verify that username and password are correct. */
if ($force_username_lowercase) {
$login_username = strtolower($login_username);
}
$imapConnection = sqimap_login($login_username, $key, $imapServerAddress, $imapPort, 0);
$sqimap_capabilities = sqimap_capability($imapConnection);
sqsession_register($sqimap_capabilities, 'sqimap_capabilities');
$delimiter = sqimap_get_delimiter($imapConnection);
sqimap_logout($imapConnection);
sqsession_register($delimiter, 'delimiter');
$username = $login_username;
