3 <title>Change Password
</title>
4 <SCRIPT TYPE=
"text/ssperl" CGI='$SERVERSALT $LOGINTICKET $RANDOMSALT $REMOTE_ADDR $LOGINUSERNAME $LOGINIPADDRESS $LOGINPATH'
>
5 ::create_login_file(
"~/Private/.Passwords",
"~/Private/.Sessions", $REMOTE_ADDR);
8 <SCRIPT type=
"text/javascript" LANGUAGE=
"JavaScript">
9 function createCookie(name,value,days,path) {
11 var date = new Date();
12 date.setTime(date.getTime()+(days*
24*
60*
60*
1000));
13 var expires =
"; expires="+date.toGMTString();
15 else var expires =
"";
16 document.cookie = name+
"="+value+expires+
"; path=/"+path;
19 function readCookie(name) {
20 var nameEQ = name +
"=";
21 var ca = document.cookie.split(';');
22 for(var i=
0;i < ca.length;i++) {
24 while (c.charAt(
0)==' ') c = c.substring(
1,c.length);
25 if (c.indexOf(nameEQ) ==
0) return c.substring(nameEQ.length,c.length);
30 function check_password_fields ( ) {
31 var newpassword = document.getElementById('NEWPASSWORD');
32 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
33 if(newpassword.value ==
"" || newpasswordrep.value ==
"") {
34 alert(
"No passwords");
37 if(newpassword.value == newpasswordrep.value) {
38 var submitbutton = document.getElementById('SUBMIT');
39 submitbutton.style.color =
"Black";
42 alert(
"Passwords differ");
46 function eraseCookie(name) {
47 createCookie(name,
"",-
1);
50 // Combine the PASSWORD with the site SERVERSALT and hash it
51 // Combine this Hash iwth the extra SERVERSALT, and hash them
52 function HashPassword(extsalt) {
55 var passwordvalue = document.getElementById('PASSWORD');
56 if(passwordvalue.value ==
"")
58 var saltvalue = document.getElementById('SERVERSALT');
59 hash1 = hex_sha1(saltvalue.value+passwordvalue.value);
61 hash2 = hex_sha1(extsalt+hash1);
64 passwordvalue.value = hash2;
67 // Remember to hash the repeat too! Or else it will be send in the clear
68 function HashNewPassword() {
70 var newpassword = document.getElementById('NEWPASSWORD');
71 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
72 if(newpassword.value ==
"" ) {
73 newpassword.value =
"";
76 if(newpasswordrep && (newpasswordrep.value ==
""|| newpassword.value != newpasswordrep.value)) {
77 newpassword.value =
"";
78 newpasswordrep.value =
"";
81 var saltvalue = document.getElementById('SERVERSALT');
82 hash1 = hex_sha1(saltvalue.value+newpassword.value);
83 newpassword.value = hash1;
84 newpasswordrep.value = hash1;
88 function XOR_hex_strings(hex1, hex2) {
90 for(var i=
0; i < hex1.length; ++i) {
91 var d1 = parseInt(hex1.charAt(i),
16);
92 var d2 = parseInt(hex2.charAt(i),
16);
94 resultHex = resultHex+resultD.toString(
16);
99 function EncryptNewPassword() {
100 var password = document.getElementById('PASSWORD');
101 var saltvalue = document.getElementById('SERVERSALT');
102 var login = document.getElementById('LOGINTICKET');
103 var newpassword = document.getElementById('NEWPASSWORD');
104 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
107 hash = hex_sha1(saltvalue.value+password.value);
108 hash2 = hex_sha1(login.value+hash);
109 var encrypted = XOR_hex_strings(hash2, newpassword.value);
110 newpassword.value = encrypted;
111 newpasswordrep.value = encrypted;
115 function add_cgiparam(elem, attr, param) {
116 var elems = document.getElementsByTagName(elem);
117 for (var i =
0; i < elems.length; i++)
119 var n=elems[i][attr].indexOf(
"?");
121 elems[i][attr] = elems[i][attr] +
"?" + param;
123 elems[i][attr] = elems[i][attr] +
"&" + param;
127 function remove_cgiparam(elem, attr, parameter) {
128 var elems = document.getElementsByTagName(elem);
129 for (var i =
0; i < elems.length; i++)
131 var n=elems[i][attr].indexOf(
"&"+parameter);
133 elems[i][attr] = elems[i][attr].replace(
"&"+param,
"");
134 var n=elems[i][attr].indexOf(parameter);
136 elems[i][attr] = elems[i][attr].replace(param,
"");
140 window.onload = function() {
141 var sessionticket = readCookie(
"CGIscriptor");
142 var sessionparm = document.getElementById('SESSIONTICKET');
143 if(sessionparm) sessionparm.value = sessionticket;
144 add_cgiparam('a', 'href',
"SESSIONTICKET="+sessionticket);
145 add_cgiparam('form', 'action',
"SESSIONTICKET="+sessionticket);
151 <script type=
"text/javascript">
153 * A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined
155 * Version 2.2 Copyright Paul Johnston 2000 - 2009.
156 * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
157 * Distributed under the BSD License
158 * See http://pajhome.org.uk/crypt/md5 for details.
162 * Configurable variables. You may need to tweak these to be compatible with
163 * the server-side, but the defaults work in most cases.
165 var hexcase
= 0; /* hex output format. 0 - lowercase; 1 - uppercase */
166 var b64pad
= ""; /* base-64 pad character. "=" for strict RFC compliance */
169 * These are the functions you'll usually want to call
170 * They take string arguments and return either hex or base-64 encoded strings
172 function hex_sha1(s
) { return rstr2hex(rstr_sha1(str2rstr_utf8(s
))); }
173 function b64_sha1(s
) { return rstr2b64(rstr_sha1(str2rstr_utf8(s
))); }
174 function any_sha1(s
, e
) { return rstr2any(rstr_sha1(str2rstr_utf8(s
)), e
); }
175 function hex_hmac_sha1(k
, d
)
176 { return rstr2hex(rstr_hmac_sha1(str2rstr_utf8(k
), str2rstr_utf8(d
))); }
177 function b64_hmac_sha1(k
, d
)
178 { return rstr2b64(rstr_hmac_sha1(str2rstr_utf8(k
), str2rstr_utf8(d
))); }
179 function any_hmac_sha1(k
, d
, e
)
180 { return rstr2any(rstr_hmac_sha1(str2rstr_utf8(k
), str2rstr_utf8(d
)), e
); }
183 * Perform a simple self-test to see if the VM is working
185 function sha1_vm_test()
187 return hex_sha1("abc").toLowerCase() == "a9993e364706816aba3e25717850c26c9cd0d89d";
191 * Calculate the SHA1 of a raw string
193 function rstr_sha1(s
)
195 return binb2rstr(binb_sha1(rstr2binb(s
), s
.length
* 8));
199 * Calculate the HMAC-SHA1 of a key and some data (raw strings)
201 function rstr_hmac_sha1(key
, data
)
203 var bkey
= rstr2binb(key
);
204 if(bkey
.length
> 16) bkey
= binb_sha1(bkey
, key
.length
* 8);
206 var ipad
= Array(16), opad
= Array(16);
207 for(var i
= 0; i
< 16; i
++)
209 ipad
[i
] = bkey
[i
] ^ 0x36363636;
210 opad
[i
] = bkey
[i
] ^ 0x5C5C5C5C;
213 var hash
= binb_sha1(ipad
.concat(rstr2binb(data
)), 512 + data
.length
* 8);
214 return binb2rstr(binb_sha1(opad
.concat(hash
), 512 + 160));
218 * Convert a raw string to a hex string
220 function rstr2hex(input
)
222 try { hexcase
} catch(e
) { hexcase
=0; }
223 var hex_tab
= hexcase
? "0123456789ABCDEF" : "0123456789abcdef";
226 for(var i
= 0; i
< input
.length
; i
++)
228 x
= input
.charCodeAt(i
);
229 output
+= hex_tab
.charAt((x
>>> 4) & 0x0F)
230 + hex_tab
.charAt( x
& 0x0F);
236 * Convert a raw string to a base-64 string
238 function rstr2b64(input
)
240 try { b64pad
} catch(e
) { b64pad
=''; }
241 var tab
= "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
243 var len
= input
.length
;
244 for(var i
= 0; i
< len
; i
+= 3)
246 var triplet
= (input
.charCodeAt(i
) << 16)
247 | (i
+ 1 < len
? input
.charCodeAt(i
+1) << 8 : 0)
248 | (i
+ 2 < len
? input
.charCodeAt(i
+2) : 0);
249 for(var j
= 0; j
< 4; j
++)
251 if(i
* 8 + j
* 6 > input
.length
* 8) output
+= b64pad
;
252 else output
+= tab
.charAt((triplet
>>> 6*(3-j
)) & 0x3F);
259 * Convert a raw string to an arbitrary string encoding
261 function rstr2any(input
, encoding
)
263 var divisor
= encoding
.length
;
264 var remainders
= Array();
265 var i
, q
, x
, quotient
;
267 /* Convert to an array of 16-bit big-endian values, forming the dividend */
268 var dividend
= Array(Math
.ceil(input
.length
/ 2));
269 for(i
= 0; i
< dividend
.length
; i
++)
271 dividend
[i
] = (input
.charCodeAt(i
* 2) << 8) | input
.charCodeAt(i
* 2 + 1);
275 * Repeatedly perform a long division. The binary array forms the dividend,
276 * the length of the encoding is the divisor. Once computed, the quotient
277 * forms the dividend for the next step. We stop when the dividend is zero.
278 * All remainders are stored for later use.
280 while(dividend
.length
> 0)
284 for(i
= 0; i
< dividend
.length
; i
++)
286 x
= (x
<< 16) + dividend
[i
];
287 q
= Math
.floor(x
/ divisor
);
289 if(quotient
.length
> 0 || q
> 0)
290 quotient
[quotient
.length
] = q
;
292 remainders
[remainders
.length
] = x
;
296 /* Convert the remainders to the output string */
298 for(i
= remainders
.length
- 1; i
>= 0; i
--)
299 output
+= encoding
.charAt(remainders
[i
]);
301 /* Append leading zero equivalents */
302 var full_length
= Math
.ceil(input
.length
* 8 /
303 (Math
.log(encoding
.length
) / Math
.log(2)))
304 for(i
= output
.length
; i
< full_length
; i
++)
305 output
= encoding
[0] + output
;
311 * Encode a string as utf-8.
312 * For efficiency, this assumes the input is valid utf-16.
314 function str2rstr_utf8(input
)
320 while(++i
< input
.length
)
322 /* Decode utf-16 surrogate pairs */
323 x
= input
.charCodeAt(i
);
324 y
= i
+ 1 < input
.length
? input
.charCodeAt(i
+ 1) : 0;
325 if(0xD800 <= x
&& x
<= 0xDBFF && 0xDC00 <= y
&& y
<= 0xDFFF)
327 x
= 0x10000 + ((x
& 0x03FF) << 10) + (y
& 0x03FF);
331 /* Encode output as utf-8 */
333 output
+= String
.fromCharCode(x
);
335 output
+= String
.fromCharCode(0xC0 | ((x
>>> 6 ) & 0x1F),
338 output
+= String
.fromCharCode(0xE0 | ((x
>>> 12) & 0x0F),
339 0x80 | ((x
>>> 6 ) & 0x3F),
341 else if(x
<= 0x1FFFFF)
342 output
+= String
.fromCharCode(0xF0 | ((x
>>> 18) & 0x07),
343 0x80 | ((x
>>> 12) & 0x3F),
344 0x80 | ((x
>>> 6 ) & 0x3F),
351 * Encode a string as utf-16
353 function str2rstr_utf16le(input
)
356 for(var i
= 0; i
< input
.length
; i
++)
357 output
+= String
.fromCharCode( input
.charCodeAt(i
) & 0xFF,
358 (input
.charCodeAt(i
) >>> 8) & 0xFF);
362 function str2rstr_utf16be(input
)
365 for(var i
= 0; i
< input
.length
; i
++)
366 output
+= String
.fromCharCode((input
.charCodeAt(i
) >>> 8) & 0xFF,
367 input
.charCodeAt(i
) & 0xFF);
372 * Convert a raw string to an array of big-endian words
373 * Characters >255 have their high-byte silently ignored.
375 function rstr2binb(input
)
377 var output
= Array(input
.length
>> 2);
378 for(var i
= 0; i
< output
.length
; i
++)
380 for(var i
= 0; i
< input
.length
* 8; i
+= 8)
381 output
[i
>>5] |= (input
.charCodeAt(i
/ 8) & 0xFF) << (24 - i
% 32);
386 * Convert an array of big-endian words to a string
388 function binb2rstr(input
)
391 for(var i
= 0; i
< input
.length
* 32; i
+= 8)
392 output
+= String
.fromCharCode((input
[i
>>5] >>> (24 - i
% 32)) & 0xFF);
397 * Calculate the SHA-1 of an array of big-endian words, and a bit length
399 function binb_sha1(x
, len
)
402 x
[len
>> 5] |= 0x80 << (24 - len
% 32);
403 x
[((len
+ 64 >> 9) << 4) + 15] = len
;
412 for(var i
= 0; i
< x
.length
; i
+= 16)
420 for(var j
= 0; j
< 80; j
++)
422 if(j
< 16) w
[j
] = x
[i
+ j
];
423 else w
[j
] = bit_rol(w
[j
-3] ^ w
[j
-8] ^ w
[j
-14] ^ w
[j
-16], 1);
424 var t
= safe_add(safe_add(bit_rol(a
, 5), sha1_ft(j
, b
, c
, d
)),
425 safe_add(safe_add(e
, w
[j
]), sha1_kt(j
)));
433 a
= safe_add(a
, olda
);
434 b
= safe_add(b
, oldb
);
435 c
= safe_add(c
, oldc
);
436 d
= safe_add(d
, oldd
);
437 e
= safe_add(e
, olde
);
439 return Array(a
, b
, c
, d
, e
);
444 * Perform the appropriate triplet combination function for the current
447 function sha1_ft(t
, b
, c
, d
)
449 if(t
< 20) return (b
& c
) | ((~b
) & d
);
450 if(t
< 40) return b
^ c
^ d
;
451 if(t
< 60) return (b
& c
) | (b
& d
) | (c
& d
);
456 * Determine the appropriate additive constant for the current iteration
460 return (t
< 20) ? 1518500249 : (t
< 40) ? 1859775393 :
461 (t
< 60) ? -1894007588 : -899497514;
465 * Add integers, wrapping at 2^32. This uses 16-bit operations internally
466 * to work around bugs in some JS interpreters.
468 function safe_add(x
, y
)
470 var lsw
= (x
& 0xFFFF) + (y
& 0xFFFF);
471 var msw
= (x
>> 16) + (y
>> 16) + (lsw
>> 16);
472 return (msw
<< 16) | (lsw
& 0xFFFF);
476 * Bitwise rotate a 32-bit number to the left.
478 function bit_rol(num
, cnt
)
480 return (num
<< cnt
) | (num
>>> (32 - cnt
));
486 <h1 align=CENTER
>Change your password
</h1>
492 <form method=
"POST" action=
"index.html" id=
"LoginForm"
493 onSubmit='if(! check_password_fields())return false;EncryptNewPassword();HashPassword(
"<SCRIPT TYPE="text/ssperl
">
494 $RANDOMSALT</SCRIPT>");true'
>
495 <div style=
"margin-left: 30%; margin-right: 30%; text-align: left">
498 <td style=
"text-align: right">Old Password:
</td>
499 <td style=
"text-align: left"><input type=
"PASSWORD" name=
"PASSWORD" id=
"PASSWORD" size=
"20" /></td>
502 <td style=
"text-align: right">New Password:
</td>
503 <td style=
"text-align: left"><input type=
"PASSWORD" name=
"NEWPASSWORD" id=
"NEWPASSWORD" size=
"20" />
507 <td style=
"text-align: right">Repeat:
</td>
508 <td style=
"text-align: left"><input type=
"PASSWORD" name=
"NEWPASSWORDREP" id=
"NEWPASSWORDREP" size=
"20" onChange=
"check_password_fields();"/></td>
512 <td style=
"text-align: left"><input type=
"submit" id=
"SUBMIT" value=
"Change" style=
"color: Gray" /></td>
515 <input type=
"hidden" name=
"USERNAME" size=
"20" value=
<SCRIPT type=
"text/ssperl">$LOGINUSERNAME
</SCRIPT> />
516 <input type=
"hidden" name=
"SERVERSALT" id=
"SERVERSALT" value=
"<SCRIPT TYPE="text/ssperl
">$SERVERSALT</SCRIPT>" />
517 <input type=
"hidden" name=
"RANDOMSALT" id=
"RANDOMSALT" value=
"<SCRIPT TYPE="text/ssperl
">$RANDOMSALT</SCRIPT>" />
518 <input type=
"hidden" name=
"LOGINTICKET" id=
"LOGINTICKET" value=
"<SCRIPT TYPE="text/ssperl
">$LOGINTICKET</SCRIPT>" />
519 <input type=
"hidden" name=
"SESSIONTICKET" value=
"" />
523 The Salt and Ticket values are all created using SHA1 on
512 Byte of output from
<em>/dev/urandom
</em> in HEX.
525 <FONT STYLE=
"font-size:small">
526 <p> Example Login page for CGIscriptor.pl
<br />
527 Copyright
© 2012 R.J.J.H. van Son
<br />
528 This program is free software: you can redistribute it and/or modify
529 it under the terms of the GNU General Public License as published by
530 the Free Software Foundation, either version
3 of the License, or
531 (at your option) any later version.
532 This program is distributed in the hope that it will be useful,
533 but WITHOUT ANY WARRANTY; without even the implied warranty of
534 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
535 GNU General Public License for more details.
<br />
536 You should have received a copy of the GNU General Public License
537 along with this program. If not, see
<a href=
"http://www.gnu.org/licenses/">http://www.gnu.org/licenses/
</a>.
</p>
538 <p> JavaScript implementation of the Secure Hash Algorithm, SHA-
1, as defined in FIPS
180-
1<br />
539 Copyright
© 2000 -
2009 Paul Johnston, Version
2.2<br />
540 Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
<br />
541 Distributed under the BSD License
<br />
542 See
<a href=
"http://pajhome.org.uk/crypt/md5">http://pajhome.org.uk/crypt/md5
</a> for details.