3 <title>Change Password
</title>
4 <SCRIPT TYPE=
"text/ssperl" CGI='$SERVERSALT $LOGINTICKET $RANDOMSALT $REMOTE_ADDR $LOGINUSERNAME $LOGINIPADDRESS $LOGINPATH'
>
5 ::create_login_file(
"~/Private/.Passwords",
"~/Private/.Sessions", $REMOTE_ADDR);
8 <SCRIPT type=
"text/javascript" LANGUAGE=
"JavaScript">
9 function createCookie(name,value,days,path) {
11 var date = new Date();
12 date.setTime(date.getTime()+(days*
24*
60*
60*
1000));
13 var expires =
"; expires="+date.toGMTString();
15 else var expires =
"";
16 var match = document.cookie.match('/('+name+'\=[^\;]*\);/');
18 document.cookie = document.cookie.replace(match[
1], name+
"="+value);
20 document.cookie = name+
"="+value+expires+
"; path=/"+path;
23 function readCookie(name) {
24 var nameEQ = name +
"=";
25 var ca = document.cookie.split(';');
26 for(var i=
0;i < ca.length;i++) {
28 while (c.charAt(
0)==' ') c = c.substring(
1,c.length);
29 if (c.indexOf(nameEQ) ==
0) return c.substring(nameEQ.length,c.length);
34 function check_password_fields ( ) {
35 var newpassword = document.getElementById('NEWPASSWORD');
36 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
37 if(newpassword.value ==
"" || newpasswordrep.value ==
"") {
38 alert(
"No passwords");
41 if(newpassword.value == newpasswordrep.value) {
42 var submitbutton = document.getElementById('SUBMIT');
43 submitbutton.style.color =
"Black";
46 alert(
"Passwords differ");
50 function eraseCookie(name) {
51 createCookie(name,
"",-
1);
54 // Combine the PASSWORD with the site SERVERSALT and hash it
55 // Combine this Hash iwth the extra SERVERSALT, and hash them
56 function HashPassword(extsalt) {
59 var passwordvalue = document.getElementById('PASSWORD');
60 if(passwordvalue.value ==
"")
62 var saltvalue = document.getElementById('SERVERSALT');
63 hash1 = hex_sha1(saltvalue.value+passwordvalue.value);
65 hash2 = hex_sha1(extsalt+hash1);
68 passwordvalue.value = hash2;
71 // Remember to hash the repeat too! Or else it will be send in the clear
72 function HashNewPassword() {
74 var newpassword = document.getElementById('NEWPASSWORD');
75 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
76 if(newpassword.value ==
"" ) {
77 newpassword.value =
"";
80 if(newpasswordrep && (newpasswordrep.value ==
""|| newpassword.value != newpasswordrep.value)) {
81 newpassword.value =
"";
82 newpasswordrep.value =
"";
85 var saltvalue = document.getElementById('SERVERSALT');
86 hash1 = hex_sha1(saltvalue.value+newpassword.value);
87 newpassword.value = hash1;
88 newpasswordrep.value = hash1;
92 function XOR_hex_strings(hex1, hex2) {
94 for(var i=
0; i < hex1.length; ++i) {
95 var d1 = parseInt(hex1.charAt(i),
16);
96 var d2 = parseInt(hex2.charAt(i),
16);
98 resultHex = resultHex+resultD.toString(
16);
103 function EncryptNewPassword() {
104 var password = document.getElementById('PASSWORD');
105 var saltvalue = document.getElementById('SERVERSALT');
106 var login = document.getElementById('LOGINTICKET');
107 var newpassword = document.getElementById('NEWPASSWORD');
108 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
111 hash = hex_sha1(saltvalue.value+password.value);
112 hash2 = hex_sha1(login.value+hash);
113 var encrypted = XOR_hex_strings(hash2, newpassword.value);
114 newpassword.value = encrypted;
115 newpasswordrep.value = encrypted;
119 function add_cgiparam(elem, attr, param) {
120 var elems = document.getElementsByTagName(elem);
121 for (var i =
0; i < elems.length; i++)
123 var n=elems[i][attr].indexOf(
"?");
125 elems[i][attr] = elems[i][attr] +
"?" + param;
127 elems[i][attr] = elems[i][attr] +
"&" + param;
131 function remove_cgiparam(elem, attr, parameter) {
132 var elems = document.getElementsByTagName(elem);
133 for (var i =
0; i < elems.length; i++)
135 var n=elems[i][attr].indexOf(
"&"+parameter);
137 elems[i][attr] = elems[i][attr].replace(
"&"+param,
"");
138 var n=elems[i][attr].indexOf(parameter);
140 elems[i][attr] = elems[i][attr].replace(param,
"");
144 function setSessionParameters() {
145 var sessionset = readCookie(
"CGIscriptorSESSION");
146 if(!sessionset.match(/[\S]/))return false;
148 var sessionticket =
"";
149 sessionticket = localStorage.getItem(
"CGIscriptorPRIVATE");
150 createCookie(
"CGIscriptorSESSION",sessionticket,
1,
"/Private");
151 var sessionparm = document.getElementById('SESSIONTICKET');
152 if(sessionparm) sessionparm.value = sessionticket;
154 // Without cookies, use this
155 // add_cgiparam('a', 'href',
"SESSIONTICKET="+sessionticket);
156 // add_cgiparam('form', 'action',
"SESSIONTICKET="+sessionticket);
159 function setChallengeParameters() {
160 var sessionset = readCookie(
"CGIscriptorCHALLENGE");
161 if(!(sessionset && sessionset.match(/[\S]/)))return false;
163 var sessionticket =
"";
164 sessionticket = localStorage.getItem(
"CGIscriptorPRIVATE");
165 createCookie(
"CGIscriptorCHALLENGE",sessionticket,
1,
"Private");
166 var sessionparm = document.getElementById('CHALLENGETICKET');
167 if(sessionparm) sessionparm.value = sessionticket;
169 // Without cookies, use this
170 // add_cgiparam('a', 'href',
"CHALLENGETICKET="+sessionticket);
171 // add_cgiparam('form', 'action',
"CHALLENGETICKET="+sessionticket);
175 window.onload = function() {
176 var challengeSet = setChallengeParameters();
178 setSessionParameters();
185 <script type=
"text/javascript">
187 * A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined
189 * Version 2.2 Copyright Paul Johnston 2000 - 2009.
190 * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
191 * Distributed under the BSD License
192 * See http://pajhome.org.uk/crypt/md5 for details.
196 * Configurable variables. You may need to tweak these to be compatible with
197 * the server-side, but the defaults work in most cases.
199 var hexcase
= 0; /* hex output format. 0 - lowercase; 1 - uppercase */
200 var b64pad
= ""; /* base-64 pad character. "=" for strict RFC compliance */
203 * These are the functions you'll usually want to call
204 * They take string arguments and return either hex or base-64 encoded strings
206 function hex_sha1(s
) { return rstr2hex(rstr_sha1(str2rstr_utf8(s
))); }
207 function b64_sha1(s
) { return rstr2b64(rstr_sha1(str2rstr_utf8(s
))); }
208 function any_sha1(s
, e
) { return rstr2any(rstr_sha1(str2rstr_utf8(s
)), e
); }
209 function hex_hmac_sha1(k
, d
)
210 { return rstr2hex(rstr_hmac_sha1(str2rstr_utf8(k
), str2rstr_utf8(d
))); }
211 function b64_hmac_sha1(k
, d
)
212 { return rstr2b64(rstr_hmac_sha1(str2rstr_utf8(k
), str2rstr_utf8(d
))); }
213 function any_hmac_sha1(k
, d
, e
)
214 { return rstr2any(rstr_hmac_sha1(str2rstr_utf8(k
), str2rstr_utf8(d
)), e
); }
217 * Perform a simple self-test to see if the VM is working
219 function sha1_vm_test()
221 return hex_sha1("abc").toLowerCase() == "a9993e364706816aba3e25717850c26c9cd0d89d";
225 * Calculate the SHA1 of a raw string
227 function rstr_sha1(s
)
229 return binb2rstr(binb_sha1(rstr2binb(s
), s
.length
* 8));
233 * Calculate the HMAC-SHA1 of a key and some data (raw strings)
235 function rstr_hmac_sha1(key
, data
)
237 var bkey
= rstr2binb(key
);
238 if(bkey
.length
> 16) bkey
= binb_sha1(bkey
, key
.length
* 8);
240 var ipad
= Array(16), opad
= Array(16);
241 for(var i
= 0; i
< 16; i
++)
243 ipad
[i
] = bkey
[i
] ^ 0x36363636;
244 opad
[i
] = bkey
[i
] ^ 0x5C5C5C5C;
247 var hash
= binb_sha1(ipad
.concat(rstr2binb(data
)), 512 + data
.length
* 8);
248 return binb2rstr(binb_sha1(opad
.concat(hash
), 512 + 160));
252 * Convert a raw string to a hex string
254 function rstr2hex(input
)
256 try { hexcase
} catch(e
) { hexcase
=0; }
257 var hex_tab
= hexcase
? "0123456789ABCDEF" : "0123456789abcdef";
260 for(var i
= 0; i
< input
.length
; i
++)
262 x
= input
.charCodeAt(i
);
263 output
+= hex_tab
.charAt((x
>>> 4) & 0x0F)
264 + hex_tab
.charAt( x
& 0x0F);
270 * Convert a raw string to a base-64 string
272 function rstr2b64(input
)
274 try { b64pad
} catch(e
) { b64pad
=''; }
275 var tab
= "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
277 var len
= input
.length
;
278 for(var i
= 0; i
< len
; i
+= 3)
280 var triplet
= (input
.charCodeAt(i
) << 16)
281 | (i
+ 1 < len
? input
.charCodeAt(i
+1) << 8 : 0)
282 | (i
+ 2 < len
? input
.charCodeAt(i
+2) : 0);
283 for(var j
= 0; j
< 4; j
++)
285 if(i
* 8 + j
* 6 > input
.length
* 8) output
+= b64pad
;
286 else output
+= tab
.charAt((triplet
>>> 6*(3-j
)) & 0x3F);
293 * Convert a raw string to an arbitrary string encoding
295 function rstr2any(input
, encoding
)
297 var divisor
= encoding
.length
;
298 var remainders
= Array();
299 var i
, q
, x
, quotient
;
301 /* Convert to an array of 16-bit big-endian values, forming the dividend */
302 var dividend
= Array(Math
.ceil(input
.length
/ 2));
303 for(i
= 0; i
< dividend
.length
; i
++)
305 dividend
[i
] = (input
.charCodeAt(i
* 2) << 8) | input
.charCodeAt(i
* 2 + 1);
309 * Repeatedly perform a long division. The binary array forms the dividend,
310 * the length of the encoding is the divisor. Once computed, the quotient
311 * forms the dividend for the next step. We stop when the dividend is zero.
312 * All remainders are stored for later use.
314 while(dividend
.length
> 0)
318 for(i
= 0; i
< dividend
.length
; i
++)
320 x
= (x
<< 16) + dividend
[i
];
321 q
= Math
.floor(x
/ divisor
);
323 if(quotient
.length
> 0 || q
> 0)
324 quotient
[quotient
.length
] = q
;
326 remainders
[remainders
.length
] = x
;
330 /* Convert the remainders to the output string */
332 for(i
= remainders
.length
- 1; i
>= 0; i
--)
333 output
+= encoding
.charAt(remainders
[i
]);
335 /* Append leading zero equivalents */
336 var full_length
= Math
.ceil(input
.length
* 8 /
337 (Math
.log(encoding
.length
) / Math
.log(2)))
338 for(i
= output
.length
; i
< full_length
; i
++)
339 output
= encoding
[0] + output
;
345 * Encode a string as utf-8.
346 * For efficiency, this assumes the input is valid utf-16.
348 function str2rstr_utf8(input
)
354 while(++i
< input
.length
)
356 /* Decode utf-16 surrogate pairs */
357 x
= input
.charCodeAt(i
);
358 y
= i
+ 1 < input
.length
? input
.charCodeAt(i
+ 1) : 0;
359 if(0xD800 <= x
&& x
<= 0xDBFF && 0xDC00 <= y
&& y
<= 0xDFFF)
361 x
= 0x10000 + ((x
& 0x03FF) << 10) + (y
& 0x03FF);
365 /* Encode output as utf-8 */
367 output
+= String
.fromCharCode(x
);
369 output
+= String
.fromCharCode(0xC0 | ((x
>>> 6 ) & 0x1F),
372 output
+= String
.fromCharCode(0xE0 | ((x
>>> 12) & 0x0F),
373 0x80 | ((x
>>> 6 ) & 0x3F),
375 else if(x
<= 0x1FFFFF)
376 output
+= String
.fromCharCode(0xF0 | ((x
>>> 18) & 0x07),
377 0x80 | ((x
>>> 12) & 0x3F),
378 0x80 | ((x
>>> 6 ) & 0x3F),
385 * Encode a string as utf-16
387 function str2rstr_utf16le(input
)
390 for(var i
= 0; i
< input
.length
; i
++)
391 output
+= String
.fromCharCode( input
.charCodeAt(i
) & 0xFF,
392 (input
.charCodeAt(i
) >>> 8) & 0xFF);
396 function str2rstr_utf16be(input
)
399 for(var i
= 0; i
< input
.length
; i
++)
400 output
+= String
.fromCharCode((input
.charCodeAt(i
) >>> 8) & 0xFF,
401 input
.charCodeAt(i
) & 0xFF);
406 * Convert a raw string to an array of big-endian words
407 * Characters >255 have their high-byte silently ignored.
409 function rstr2binb(input
)
411 var output
= Array(input
.length
>> 2);
412 for(var i
= 0; i
< output
.length
; i
++)
414 for(var i
= 0; i
< input
.length
* 8; i
+= 8)
415 output
[i
>>5] |= (input
.charCodeAt(i
/ 8) & 0xFF) << (24 - i
% 32);
420 * Convert an array of big-endian words to a string
422 function binb2rstr(input
)
425 for(var i
= 0; i
< input
.length
* 32; i
+= 8)
426 output
+= String
.fromCharCode((input
[i
>>5] >>> (24 - i
% 32)) & 0xFF);
431 * Calculate the SHA-1 of an array of big-endian words, and a bit length
433 function binb_sha1(x
, len
)
436 x
[len
>> 5] |= 0x80 << (24 - len
% 32);
437 x
[((len
+ 64 >> 9) << 4) + 15] = len
;
446 for(var i
= 0; i
< x
.length
; i
+= 16)
454 for(var j
= 0; j
< 80; j
++)
456 if(j
< 16) w
[j
] = x
[i
+ j
];
457 else w
[j
] = bit_rol(w
[j
-3] ^ w
[j
-8] ^ w
[j
-14] ^ w
[j
-16], 1);
458 var t
= safe_add(safe_add(bit_rol(a
, 5), sha1_ft(j
, b
, c
, d
)),
459 safe_add(safe_add(e
, w
[j
]), sha1_kt(j
)));
467 a
= safe_add(a
, olda
);
468 b
= safe_add(b
, oldb
);
469 c
= safe_add(c
, oldc
);
470 d
= safe_add(d
, oldd
);
471 e
= safe_add(e
, olde
);
473 return Array(a
, b
, c
, d
, e
);
478 * Perform the appropriate triplet combination function for the current
481 function sha1_ft(t
, b
, c
, d
)
483 if(t
< 20) return (b
& c
) | ((~b
) & d
);
484 if(t
< 40) return b
^ c
^ d
;
485 if(t
< 60) return (b
& c
) | (b
& d
) | (c
& d
);
490 * Determine the appropriate additive constant for the current iteration
494 return (t
< 20) ? 1518500249 : (t
< 40) ? 1859775393 :
495 (t
< 60) ? -1894007588 : -899497514;
499 * Add integers, wrapping at 2^32. This uses 16-bit operations internally
500 * to work around bugs in some JS interpreters.
502 function safe_add(x
, y
)
504 var lsw
= (x
& 0xFFFF) + (y
& 0xFFFF);
505 var msw
= (x
>> 16) + (y
>> 16) + (lsw
>> 16);
506 return (msw
<< 16) | (lsw
& 0xFFFF);
510 * Bitwise rotate a 32-bit number to the left.
512 function bit_rol(num
, cnt
)
514 return (num
<< cnt
) | (num
>>> (32 - cnt
));
520 <p ALIGN=RIGHT
><a href=
"index.html?LOGOUT">Logout
</a></p>
521 <p ALIGN=RIGHT
><a href=
"index.html">Home page
</a></p>
522 <h1 align=CENTER
>Change your password
</h1>
528 <form method=
"POST" action=
"index.html" id=
"LoginForm"
529 onSubmit='if(! check_password_fields())return false;EncryptNewPassword();HashPassword(
"<SCRIPT TYPE="text/ssperl
">
530 $RANDOMSALT</SCRIPT>");true'
>
531 <div style=
"margin-left: 30%; margin-right: 30%; text-align: left">
534 <td style=
"text-align: right">Old Password:
</td>
535 <td style=
"text-align: left"><input type=
"PASSWORD" name=
"PASSWORD" id=
"PASSWORD" size=
"20" /></td>
538 <td style=
"text-align: right">New Password:
</td>
539 <td style=
"text-align: left"><input type=
"PASSWORD" name=
"NEWPASSWORD" id=
"NEWPASSWORD" size=
"20" />
543 <td style=
"text-align: right">Repeat:
</td>
544 <td style=
"text-align: left"><input type=
"PASSWORD" name=
"NEWPASSWORDREP" id=
"NEWPASSWORDREP" size=
"20" onChange=
"check_password_fields();"/></td>
548 <td style=
"text-align: left"><input type=
"submit" id=
"SUBMIT" value=
"Change" style=
"color: Gray" /></td>
551 <input type=
"hidden" name=
"USERNAME" size=
"20" value=
<SCRIPT type=
"text/ssperl">$LOGINUSERNAME
</SCRIPT> />
552 <input type=
"hidden" name=
"SERVERSALT" id=
"SERVERSALT" value=
"<SCRIPT TYPE="text/ssperl
">$SERVERSALT</SCRIPT>" />
553 <input type=
"hidden" name=
"RANDOMSALT" id=
"RANDOMSALT" value=
"<SCRIPT TYPE="text/ssperl
">$RANDOMSALT</SCRIPT>" />
554 <input type=
"hidden" name=
"LOGINTICKET" id=
"LOGINTICKET" value=
"<SCRIPT TYPE="text/ssperl
">$LOGINTICKET</SCRIPT>" />
555 <input type=
"hidden" name=
"SESSIONTICKET" id=
"SESSIONTICKET"value=
"" />
556 <input type=
"hidden" name=
"CHALLENGETICKET" id=
"CHALLENGETICKET" value=
"" />
560 The Salt and Ticket values are all created using SHA1 on
512 Byte of output from
<em>/dev/urandom
</em> in HEX.
562 <FONT STYLE=
"font-size:small">
563 <p> Example Login page for CGIscriptor.pl
<br />
564 Copyright
© 2012 R.J.J.H. van Son
<br />
565 This program is free software: you can redistribute it and/or modify
566 it under the terms of the GNU General Public License as published by
567 the Free Software Foundation, either version
3 of the License, or
568 (at your option) any later version.
569 This program is distributed in the hope that it will be useful,
570 but WITHOUT ANY WARRANTY; without even the implied warranty of
571 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
572 GNU General Public License for more details.
<br />
573 You should have received a copy of the GNU General Public License
574 along with this program. If not, see
<a href=
"http://www.gnu.org/licenses/">http://www.gnu.org/licenses/
</a>.
</p>
575 <p> JavaScript implementation of the Secure Hash Algorithm, SHA-
1, as defined in FIPS
180-
1<br />
576 Copyright
© 2000 -
2009 Paul Johnston, Version
2.2<br />
577 Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
<br />
578 Distributed under the BSD License
<br />
579 See
<a href=
"http://pajhome.org.uk/crypt/md5">http://pajhome.org.uk/crypt/md5
</a> for details.