3 <title>Change Password
</title>
4 <SCRIPT TYPE=
"text/ssperl" CGI='$SERVERSALT $LOGINTICKET $RANDOMSALT $REMOTE_ADDR $LOGINUSERNAME $LOGINIPADDRESS $LOGINPATH'
>
5 ::create_login_file(
"~/Private/.Passwords",
"~/Private/.Sessions", $REMOTE_ADDR);
8 <SCRIPT type=
"text/javascript" LANGUAGE=
"JavaScript">
9 function createCookie(name,value,days,path) {
11 var date = new Date();
12 date.setTime(date.getTime()+(days*
24*
60*
60*
1000));
13 var expires =
"; expires="+date.toGMTString();
15 else var expires =
"";
16 var match = document.cookie.match('/('+name+'\=[^\;]*\);/');
18 document.cookie = document.cookie.replace(match[
1], name+
"="+value);
20 document.cookie = name+
"="+value+expires+
"; path=/"+path;
23 function readCookie(name) {
24 var nameEQ = name +
"=";
25 var ca = document.cookie.split(';');
26 for(var i=
0;i < ca.length;i++) {
28 while (c.charAt(
0)==' ') c = c.substring(
1,c.length);
29 if (c.indexOf(nameEQ) ==
0) return c.substring(nameEQ.length,c.length);
34 function check_password_fields ( ) {
35 var newpassword = document.getElementById('NEWPASSWORD');
36 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
37 if(newpassword.value ==
"" || newpasswordrep.value ==
"") {
38 alert(
"No passwords");
41 if(newpassword.value == newpasswordrep.value) {
42 var submitbutton = document.getElementById('SUBMIT');
43 submitbutton.style.color =
"Black";
46 alert(
"Passwords differ");
50 function eraseCookie(name) {
51 createCookie(name,
"",-
1);
54 // Combine the PASSWORD with the site SERVERSALT and hash it
55 // Combine this Hash iwth the extra SERVERSALT, and hash them
56 function HashPassword(extsalt) {
57 var hash = HashSessionSeed(extsalt);
58 var password = document.getElementById('PASSWORD');
60 password.value = hash;
62 alert(
"NO PASSWORD IN FORM");
68 // REMEMBER: Set the session cookie BEFORE you hash the password!!!
69 function SetSessionCookie() {
70 var seed = '
<SCRIPT TYPE=
"text/ssperl">$LOGINTICKET
</SCRIPT>';
71 var hash = HashSessionSeed(seed);
72 // Dom.storage.enabled must be set!
73 if (!sessionStorage || typeof(sessionStorage) == 'undefined' ) {
74 alert('Your browser does not support HTML5 sessionStorage. Set Dom.storage.enabled or try upgrading.');
76 else sessionStorage.setItem(
"CGIscriptorPRIVATE", hash);
80 function HashSessionSeed(sessionseed) {
83 var passwordvalue = document.getElementById('PASSWORD');
84 var saltvalue = document.getElementById('SERVERSALT');
85 var username = document.getElementById('USERNAME');
86 hash1 = hex_sha1(saltvalue.value+passwordvalue.value+username.value);
88 hash2 = hex_sha1(sessionseed+hash1);
94 // Remember to hash the repeat too! Or else it will be send in the clear
95 function HashNewPassword() {
97 var newpassword = document.getElementById('NEWPASSWORD');
98 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
99 var username = document.getElementById('USERNAME');
100 if(newpassword.value ==
"" ) {
101 newpassword.value =
"";
104 if(newpasswordrep && (newpasswordrep.value ==
""|| newpassword.value != newpasswordrep.value)) {
105 newpassword.value =
"";
106 newpasswordrep.value =
"";
109 var saltvalue = document.getElementById('SERVERSALT');
110 hash1 = hex_sha1(saltvalue.value+newpassword.value+username.value);
111 newpassword.value = hash1;
112 newpasswordrep.value = hash1;
116 function XOR_hex_strings(hex1, hex2) {
118 for(var i=
0; i < hex1.length; ++i) {
119 var d1 = parseInt(hex1.charAt(i),
16);
120 var d2 = parseInt(hex2.charAt(i),
16);
122 resultHex = resultHex+resultD.toString(
16);
127 function EncryptNewPassword() {
128 var password = document.getElementById('PASSWORD');
129 var saltvalue = document.getElementById('SERVERSALT');
130 var login = document.getElementById('LOGINTICKET');
131 var newpassword = document.getElementById('NEWPASSWORD');
132 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
133 var username = document.getElementById('USERNAME');
135 // This hashes the newpassword field!
137 hash = hex_sha1(saltvalue.value+password.value+username.value);
138 hash2 = hex_sha1(login.value+hash);
139 var encrypted = XOR_hex_strings(hash2, newpassword.value);
140 newpassword.value = encrypted;
141 newpasswordrep.value = encrypted;
145 function add_cgiparam(elem, attr, param) {
146 var elems = document.getElementsByTagName(elem);
147 for (var i =
0; i < elems.length; i++)
149 var n=elems[i][attr].indexOf(
"?");
151 elems[i][attr] = elems[i][attr] +
"?" + param;
153 elems[i][attr] = elems[i][attr] +
"&" + param;
157 function remove_cgiparam(elem, attr, parameter) {
158 var elems = document.getElementsByTagName(elem);
159 for (var i =
0; i < elems.length; i++)
161 var n=elems[i][attr].indexOf(
"&"+parameter);
163 elems[i][attr] = elems[i][attr].replace(
"&"+param,
"");
164 var n=elems[i][attr].indexOf(parameter);
166 elems[i][attr] = elems[i][attr].replace(param,
"");
170 function setSessionParameters() {
171 var sessionset = readCookie(
"CGIscriptorSESSION");
172 if(!sessionset.match(/[\S]/))return false;
174 var sessionticket =
"";
175 sessionticket = sessionStorage.getItem(
"CGIscriptorPRIVATE");
176 createCookie(
"CGIscriptorSESSION",sessionticket,
1,
"/Private");
178 // Without cookies, use this
179 // var sessionparm = document.getElementById('SESSIONTICKET');
180 // if(sessionparm) sessionparm.value = sessionticket;
181 // add_cgiparam('a', 'href',
"SESSIONTICKET="+sessionticket);
182 // add_cgiparam('form', 'action',
"SESSIONTICKET="+sessionticket);
185 function setChallengeParameters() {
186 var sessionset = readCookie(
"CGIscriptorCHALLENGE");
187 if(!(sessionset && sessionset.match(/[\S]/)))return false;
189 var sessionticket =
"";
190 sessionticket = sessionStorage.getItem(
"CGIscriptorPRIVATE");
191 createCookie(
"CGIscriptorCHALLENGE",sessionticket,
1,
"Private");
193 // Without cookies, use this
194 // var sessionparm = document.getElementById('CHALLENGETICKET');
195 // if(sessionparm) sessionparm.value = sessionticket;
196 // add_cgiparam('a', 'href',
"CHALLENGETICKET="+sessionticket);
197 // add_cgiparam('form', 'action',
"CHALLENGETICKET="+sessionticket);
201 window.onload = function() {
202 var challengeSet = setChallengeParameters();
204 setSessionParameters();
211 <script type=
"text/javascript">
213 * A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined
215 * Version 2.2 Copyright Paul Johnston 2000 - 2009.
216 * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
217 * Distributed under the BSD License
218 * See http://pajhome.org.uk/crypt/md5 for details.
222 * Configurable variables. You may need to tweak these to be compatible with
223 * the server-side, but the defaults work in most cases.
225 var hexcase
= 0; /* hex output format. 0 - lowercase; 1 - uppercase */
226 var b64pad
= ""; /* base-64 pad character. "=" for strict RFC compliance */
229 * These are the functions you'll usually want to call
230 * They take string arguments and return either hex or base-64 encoded strings
232 function hex_sha1(s
) { return rstr2hex(rstr_sha1(str2rstr_utf8(s
))); }
233 function b64_sha1(s
) { return rstr2b64(rstr_sha1(str2rstr_utf8(s
))); }
234 function any_sha1(s
, e
) { return rstr2any(rstr_sha1(str2rstr_utf8(s
)), e
); }
235 function hex_hmac_sha1(k
, d
)
236 { return rstr2hex(rstr_hmac_sha1(str2rstr_utf8(k
), str2rstr_utf8(d
))); }
237 function b64_hmac_sha1(k
, d
)
238 { return rstr2b64(rstr_hmac_sha1(str2rstr_utf8(k
), str2rstr_utf8(d
))); }
239 function any_hmac_sha1(k
, d
, e
)
240 { return rstr2any(rstr_hmac_sha1(str2rstr_utf8(k
), str2rstr_utf8(d
)), e
); }
243 * Perform a simple self-test to see if the VM is working
245 function sha1_vm_test()
247 return hex_sha1("abc").toLowerCase() == "a9993e364706816aba3e25717850c26c9cd0d89d";
251 * Calculate the SHA1 of a raw string
253 function rstr_sha1(s
)
255 return binb2rstr(binb_sha1(rstr2binb(s
), s
.length
* 8));
259 * Calculate the HMAC-SHA1 of a key and some data (raw strings)
261 function rstr_hmac_sha1(key
, data
)
263 var bkey
= rstr2binb(key
);
264 if(bkey
.length
> 16) bkey
= binb_sha1(bkey
, key
.length
* 8);
266 var ipad
= Array(16), opad
= Array(16);
267 for(var i
= 0; i
< 16; i
++)
269 ipad
[i
] = bkey
[i
] ^ 0x36363636;
270 opad
[i
] = bkey
[i
] ^ 0x5C5C5C5C;
273 var hash
= binb_sha1(ipad
.concat(rstr2binb(data
)), 512 + data
.length
* 8);
274 return binb2rstr(binb_sha1(opad
.concat(hash
), 512 + 160));
278 * Convert a raw string to a hex string
280 function rstr2hex(input
)
282 try { hexcase
} catch(e
) { hexcase
=0; }
283 var hex_tab
= hexcase
? "0123456789ABCDEF" : "0123456789abcdef";
286 for(var i
= 0; i
< input
.length
; i
++)
288 x
= input
.charCodeAt(i
);
289 output
+= hex_tab
.charAt((x
>>> 4) & 0x0F)
290 + hex_tab
.charAt( x
& 0x0F);
296 * Convert a raw string to a base-64 string
298 function rstr2b64(input
)
300 try { b64pad
} catch(e
) { b64pad
=''; }
301 var tab
= "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
303 var len
= input
.length
;
304 for(var i
= 0; i
< len
; i
+= 3)
306 var triplet
= (input
.charCodeAt(i
) << 16)
307 | (i
+ 1 < len
? input
.charCodeAt(i
+1) << 8 : 0)
308 | (i
+ 2 < len
? input
.charCodeAt(i
+2) : 0);
309 for(var j
= 0; j
< 4; j
++)
311 if(i
* 8 + j
* 6 > input
.length
* 8) output
+= b64pad
;
312 else output
+= tab
.charAt((triplet
>>> 6*(3-j
)) & 0x3F);
319 * Convert a raw string to an arbitrary string encoding
321 function rstr2any(input
, encoding
)
323 var divisor
= encoding
.length
;
324 var remainders
= Array();
325 var i
, q
, x
, quotient
;
327 /* Convert to an array of 16-bit big-endian values, forming the dividend */
328 var dividend
= Array(Math
.ceil(input
.length
/ 2));
329 for(i
= 0; i
< dividend
.length
; i
++)
331 dividend
[i
] = (input
.charCodeAt(i
* 2) << 8) | input
.charCodeAt(i
* 2 + 1);
335 * Repeatedly perform a long division. The binary array forms the dividend,
336 * the length of the encoding is the divisor. Once computed, the quotient
337 * forms the dividend for the next step. We stop when the dividend is zero.
338 * All remainders are stored for later use.
340 while(dividend
.length
> 0)
344 for(i
= 0; i
< dividend
.length
; i
++)
346 x
= (x
<< 16) + dividend
[i
];
347 q
= Math
.floor(x
/ divisor
);
349 if(quotient
.length
> 0 || q
> 0)
350 quotient
[quotient
.length
] = q
;
352 remainders
[remainders
.length
] = x
;
356 /* Convert the remainders to the output string */
358 for(i
= remainders
.length
- 1; i
>= 0; i
--)
359 output
+= encoding
.charAt(remainders
[i
]);
361 /* Append leading zero equivalents */
362 var full_length
= Math
.ceil(input
.length
* 8 /
363 (Math
.log(encoding
.length
) / Math
.log(2)))
364 for(i
= output
.length
; i
< full_length
; i
++)
365 output
= encoding
[0] + output
;
371 * Encode a string as utf-8.
372 * For efficiency, this assumes the input is valid utf-16.
374 function str2rstr_utf8(input
)
380 while(++i
< input
.length
)
382 /* Decode utf-16 surrogate pairs */
383 x
= input
.charCodeAt(i
);
384 y
= i
+ 1 < input
.length
? input
.charCodeAt(i
+ 1) : 0;
385 if(0xD800 <= x
&& x
<= 0xDBFF && 0xDC00 <= y
&& y
<= 0xDFFF)
387 x
= 0x10000 + ((x
& 0x03FF) << 10) + (y
& 0x03FF);
391 /* Encode output as utf-8 */
393 output
+= String
.fromCharCode(x
);
395 output
+= String
.fromCharCode(0xC0 | ((x
>>> 6 ) & 0x1F),
398 output
+= String
.fromCharCode(0xE0 | ((x
>>> 12) & 0x0F),
399 0x80 | ((x
>>> 6 ) & 0x3F),
401 else if(x
<= 0x1FFFFF)
402 output
+= String
.fromCharCode(0xF0 | ((x
>>> 18) & 0x07),
403 0x80 | ((x
>>> 12) & 0x3F),
404 0x80 | ((x
>>> 6 ) & 0x3F),
411 * Encode a string as utf-16
413 function str2rstr_utf16le(input
)
416 for(var i
= 0; i
< input
.length
; i
++)
417 output
+= String
.fromCharCode( input
.charCodeAt(i
) & 0xFF,
418 (input
.charCodeAt(i
) >>> 8) & 0xFF);
422 function str2rstr_utf16be(input
)
425 for(var i
= 0; i
< input
.length
; i
++)
426 output
+= String
.fromCharCode((input
.charCodeAt(i
) >>> 8) & 0xFF,
427 input
.charCodeAt(i
) & 0xFF);
432 * Convert a raw string to an array of big-endian words
433 * Characters >255 have their high-byte silently ignored.
435 function rstr2binb(input
)
437 var output
= Array(input
.length
>> 2);
438 for(var i
= 0; i
< output
.length
; i
++)
440 for(var i
= 0; i
< input
.length
* 8; i
+= 8)
441 output
[i
>>5] |= (input
.charCodeAt(i
/ 8) & 0xFF) << (24 - i
% 32);
446 * Convert an array of big-endian words to a string
448 function binb2rstr(input
)
451 for(var i
= 0; i
< input
.length
* 32; i
+= 8)
452 output
+= String
.fromCharCode((input
[i
>>5] >>> (24 - i
% 32)) & 0xFF);
457 * Calculate the SHA-1 of an array of big-endian words, and a bit length
459 function binb_sha1(x
, len
)
462 x
[len
>> 5] |= 0x80 << (24 - len
% 32);
463 x
[((len
+ 64 >> 9) << 4) + 15] = len
;
472 for(var i
= 0; i
< x
.length
; i
+= 16)
480 for(var j
= 0; j
< 80; j
++)
482 if(j
< 16) w
[j
] = x
[i
+ j
];
483 else w
[j
] = bit_rol(w
[j
-3] ^ w
[j
-8] ^ w
[j
-14] ^ w
[j
-16], 1);
484 var t
= safe_add(safe_add(bit_rol(a
, 5), sha1_ft(j
, b
, c
, d
)),
485 safe_add(safe_add(e
, w
[j
]), sha1_kt(j
)));
493 a
= safe_add(a
, olda
);
494 b
= safe_add(b
, oldb
);
495 c
= safe_add(c
, oldc
);
496 d
= safe_add(d
, oldd
);
497 e
= safe_add(e
, olde
);
499 return Array(a
, b
, c
, d
, e
);
504 * Perform the appropriate triplet combination function for the current
507 function sha1_ft(t
, b
, c
, d
)
509 if(t
< 20) return (b
& c
) | ((~b
) & d
);
510 if(t
< 40) return b
^ c
^ d
;
511 if(t
< 60) return (b
& c
) | (b
& d
) | (c
& d
);
516 * Determine the appropriate additive constant for the current iteration
520 return (t
< 20) ? 1518500249 : (t
< 40) ? 1859775393 :
521 (t
< 60) ? -1894007588 : -899497514;
525 * Add integers, wrapping at 2^32. This uses 16-bit operations internally
526 * to work around bugs in some JS interpreters.
528 function safe_add(x
, y
)
530 var lsw
= (x
& 0xFFFF) + (y
& 0xFFFF);
531 var msw
= (x
>> 16) + (y
>> 16) + (lsw
>> 16);
532 return (msw
<< 16) | (lsw
& 0xFFFF);
536 * Bitwise rotate a 32-bit number to the left.
538 function bit_rol(num
, cnt
)
540 return (num
<< cnt
) | (num
>>> (32 - cnt
));
546 <p ALIGN=RIGHT
><a href=
"index.html?LOGOUT">Logout
</a></p>
547 <p ALIGN=RIGHT
><a href=
"index.html">Home page
</a></p>
548 <h1 align=CENTER
>Change your password
</h1>
554 <form method=
"POST" action=
"index.html" id=
"LoginForm"
555 onSubmit='if(! check_password_fields())return false;EncryptNewPassword();HashPassword(
"<SCRIPT TYPE="text/ssperl
">
556 $RANDOMSALT</SCRIPT>");true'
>
557 <div style=
"margin-left: 30%; margin-right: 30%; text-align: left">
560 <td style=
"text-align: right">Old Password:
</td>
561 <td style=
"text-align: left"><input type=
"PASSWORD" name=
"PASSWORD" id=
"PASSWORD" size=
"20" /></td>
564 <td style=
"text-align: right">New Password:
</td>
565 <td style=
"text-align: left"><input type=
"PASSWORD" name=
"NEWPASSWORD" id=
"NEWPASSWORD" size=
"20" />
569 <td style=
"text-align: right">Repeat:
</td>
570 <td style=
"text-align: left"><input type=
"PASSWORD" name=
"NEWPASSWORDREP" id=
"NEWPASSWORDREP" size=
"20" onChange=
"check_password_fields();"/></td>
574 <td style=
"text-align: left"><input type=
"submit" id=
"SUBMIT" value=
"Change" style=
"color: Gray" /></td>
577 <input type=
"hidden" name=
"USERNAME" id=
"USERNAME" size=
"20" value=
<SCRIPT type=
"text/ssperl">$LOGINUSERNAME
</SCRIPT> />
578 <input type=
"hidden" name=
"SERVERSALT" id=
"SERVERSALT" value=
"<SCRIPT TYPE="text/ssperl
">$SERVERSALT</SCRIPT>" />
579 <input type=
"hidden" name=
"RANDOMSALT" id=
"RANDOMSALT" value=
"<SCRIPT TYPE="text/ssperl
">$RANDOMSALT</SCRIPT>" />
580 <input type=
"hidden" name=
"LOGINTICKET" id=
"LOGINTICKET" value=
"<SCRIPT TYPE="text/ssperl
">$LOGINTICKET</SCRIPT>" />
581 <input type=
"hidden" name=
"SESSIONTICKET" id=
"SESSIONTICKET"value=
"" />
582 <input type=
"hidden" name=
"CHALLENGETICKET" id=
"CHALLENGETICKET" value=
"" />
586 The Salt and Ticket values are all created using SHA1 on
512 Byte of output from
<em>/dev/urandom
</em> in HEX.
588 <FONT STYLE=
"font-size:small">
589 <p> Example Login page for CGIscriptor.pl
<br />
590 Copyright
© 2012 R.J.J.H. van Son
<br />
591 This program is free software: you can redistribute it and/or modify
592 it under the terms of the GNU General Public License as published by
593 the Free Software Foundation, either version
3 of the License, or
594 (at your option) any later version.
595 This program is distributed in the hope that it will be useful,
596 but WITHOUT ANY WARRANTY; without even the implied warranty of
597 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
598 GNU General Public License for more details.
<br />
599 You should have received a copy of the GNU General Public License
600 along with this program. If not, see
<a href=
"http://www.gnu.org/licenses/">http://www.gnu.org/licenses/
</a>.
</p>
601 <p> JavaScript implementation of the Secure Hash Algorithm, SHA-
1, as defined in FIPS
180-
1<br />
602 Copyright
© 2000 -
2009 Paul Johnston, Version
2.2<br />
603 Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
<br />
604 Distributed under the BSD License
<br />
605 See
<a href=
"http://pajhome.org.uk/crypt/md5">http://pajhome.org.uk/crypt/md5
</a> for details.