3 <title>Change Password
</title>
4 <SCRIPT TYPE=
"text/ssperl" CGI='$SERVERSALT $SESSIONTICKET $LOGINTICKET $RANDOMSALT $REMOTE_ADDR $LOGINUSERNAME $LOGINIPADDRESS $LOGINPATH'
>
5 ::create_login_file(
"~/Private/.Passwords",
"~/Private/.Sessions", $REMOTE_ADDR);
8 <SCRIPT type=
"text/javascript" LANGUAGE=
"JavaScript">
9 function createCookie(name,value,days,path) {
11 var date = new Date();
12 date.setTime(date.getTime()+(days*
24*
60*
60*
1000));
13 var expires =
"; expires="+date.toGMTString();
15 else var expires =
"";
16 document.cookie = name+
"="+value+expires+
"; path=/"+path;
19 function readCookie(name) {
20 var nameEQ = name +
"=";
21 var ca = document.cookie.split(';');
22 for(var i=
0;i < ca.length;i++) {
24 while (c.charAt(
0)==' ') c = c.substring(
1,c.length);
25 if (c.indexOf(nameEQ) ==
0) return c.substring(nameEQ.length,c.length);
30 function check_password_fields ( ) {
31 var newpassword = document.getElementById('NEWPASSWORD');
32 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
33 if(newpassword.value ==
"" || newpasswordrep.value ==
"") {
34 alert(
"No passwords");
37 if(newpassword.value == newpasswordrep.value) {
38 var submitbutton = document.getElementById('SUBMIT');
39 submitbutton.style.color =
"Black";
42 alert(
"Passwords differ");
46 function eraseCookie(name) {
47 createCookie(name,
"",-
1);
50 // Combine the PASSWORD with the site SERVERSALT and hash it
51 // Combine this Hash iwth the extra SERVERSALT, and hash them
52 function HashPassword(extsalt) {
55 var passwordvalue = document.getElementById('PASSWORD');
56 if(passwordvalue.value ==
"")
58 var saltvalue = document.getElementById('SERVERSALT');
59 hash1 = hex_sha1(saltvalue.value+passwordvalue.value);
61 hash2 = hex_sha1(extsalt+hash1);
64 passwordvalue.value = hash2;
67 // Remember to hash the repeat too! Or else it will be send in the clear
68 function HashNewPassword() {
70 var newpassword = document.getElementById('NEWPASSWORD');
71 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
72 if(newpassword.value ==
"" ) {
73 newpassword.value =
"";
76 if(newpasswordrep && (newpasswordrep.value ==
""|| newpassword.value != newpasswordrep.value)) {
77 newpassword.value =
"";
78 newpasswordrep.value =
"";
81 var saltvalue = document.getElementById('SERVERSALT');
82 hash1 = hex_sha1(saltvalue.value+newpassword.value);
83 newpassword.value = hash1;
84 newpasswordrep.value = hash1;
88 function XOR_hex_strings(hex1, hex2) {
90 for(var i=
0; i < hex1.length; ++i) {
91 var d1 = parseInt(hex1.charAt(i),
16);
92 var d2 = parseInt(hex2.charAt(i),
16);
94 resultHex = resultHex+resultD.toString(
16);
99 function EncryptNewPassword() {
100 var password = document.getElementById('PASSWORD');
101 var saltvalue = document.getElementById('SERVERSALT');
102 var newpassword = document.getElementById('NEWPASSWORD');
103 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
106 hash = hex_sha1(saltvalue.value+password.value);
107 var encrypted = XOR_hex_strings(hash, newpassword.value);
108 newpassword.value = encrypted;
109 newpasswordrep.value = encrypted;
113 function add_cgiparam(elem, attr, param) {
114 var elems = document.getElementsByTagName(elem);
115 for (var i =
0; i < elems.length; i++)
117 var n=elems[i][attr].indexOf(
"?");
119 elems[i][attr] = elems[i][attr] +
"?" + param;
121 elems[i][attr] = elems[i][attr] +
"&" + param;
125 function remove_cgiparam(elem, attr, parameter) {
126 var elems = document.getElementsByTagName(elem);
127 for (var i =
0; i < elems.length; i++)
129 var n=elems[i][attr].indexOf(
"&"+parameter);
131 elems[i][attr] = elems[i][attr].replace(
"&"+param,
"");
132 var n=elems[i][attr].indexOf(parameter);
134 elems[i][attr] = elems[i][attr].replace(param,
"");
138 window.onload = function() {
139 var sessionticket = readCookie(
"CGIscriptor");
140 if(document.location.href.indexOf(
"SESSIONTICKET") <
0) {
141 if(document.location.href.indexOf(
"?") <
0)
142 document.location.href = document.location.href+
"?SESSIONTICKET="+sessionticket;
144 document.location.href = document.location.href+
"&SESSIONTICKET="+sessionticket;
146 var sessionparm = document.getElementById('SESSIONTICKET');
147 if(sessionparm) sessionparm.value = sessionticket;
148 add_cgiparam('a', 'href',
"SESSIONTICKET="+sessionticket);
149 add_cgiparam('form', 'action',
"SESSIONTICKET="+sessionticket);
155 <script type=
"text/javascript">
157 * A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined
159 * Version 2.2 Copyright Paul Johnston 2000 - 2009.
160 * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
161 * Distributed under the BSD License
162 * See http://pajhome.org.uk/crypt/md5 for details.
166 * Configurable variables. You may need to tweak these to be compatible with
167 * the server-side, but the defaults work in most cases.
169 var hexcase
= 0; /* hex output format. 0 - lowercase; 1 - uppercase */
170 var b64pad
= ""; /* base-64 pad character. "=" for strict RFC compliance */
173 * These are the functions you'll usually want to call
174 * They take string arguments and return either hex or base-64 encoded strings
176 function hex_sha1(s
) { return rstr2hex(rstr_sha1(str2rstr_utf8(s
))); }
177 function b64_sha1(s
) { return rstr2b64(rstr_sha1(str2rstr_utf8(s
))); }
178 function any_sha1(s
, e
) { return rstr2any(rstr_sha1(str2rstr_utf8(s
)), e
); }
179 function hex_hmac_sha1(k
, d
)
180 { return rstr2hex(rstr_hmac_sha1(str2rstr_utf8(k
), str2rstr_utf8(d
))); }
181 function b64_hmac_sha1(k
, d
)
182 { return rstr2b64(rstr_hmac_sha1(str2rstr_utf8(k
), str2rstr_utf8(d
))); }
183 function any_hmac_sha1(k
, d
, e
)
184 { return rstr2any(rstr_hmac_sha1(str2rstr_utf8(k
), str2rstr_utf8(d
)), e
); }
187 * Perform a simple self-test to see if the VM is working
189 function sha1_vm_test()
191 return hex_sha1("abc").toLowerCase() == "a9993e364706816aba3e25717850c26c9cd0d89d";
195 * Calculate the SHA1 of a raw string
197 function rstr_sha1(s
)
199 return binb2rstr(binb_sha1(rstr2binb(s
), s
.length
* 8));
203 * Calculate the HMAC-SHA1 of a key and some data (raw strings)
205 function rstr_hmac_sha1(key
, data
)
207 var bkey
= rstr2binb(key
);
208 if(bkey
.length
> 16) bkey
= binb_sha1(bkey
, key
.length
* 8);
210 var ipad
= Array(16), opad
= Array(16);
211 for(var i
= 0; i
< 16; i
++)
213 ipad
[i
] = bkey
[i
] ^ 0x36363636;
214 opad
[i
] = bkey
[i
] ^ 0x5C5C5C5C;
217 var hash
= binb_sha1(ipad
.concat(rstr2binb(data
)), 512 + data
.length
* 8);
218 return binb2rstr(binb_sha1(opad
.concat(hash
), 512 + 160));
222 * Convert a raw string to a hex string
224 function rstr2hex(input
)
226 try { hexcase
} catch(e
) { hexcase
=0; }
227 var hex_tab
= hexcase
? "0123456789ABCDEF" : "0123456789abcdef";
230 for(var i
= 0; i
< input
.length
; i
++)
232 x
= input
.charCodeAt(i
);
233 output
+= hex_tab
.charAt((x
>>> 4) & 0x0F)
234 + hex_tab
.charAt( x
& 0x0F);
240 * Convert a raw string to a base-64 string
242 function rstr2b64(input
)
244 try { b64pad
} catch(e
) { b64pad
=''; }
245 var tab
= "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
247 var len
= input
.length
;
248 for(var i
= 0; i
< len
; i
+= 3)
250 var triplet
= (input
.charCodeAt(i
) << 16)
251 | (i
+ 1 < len
? input
.charCodeAt(i
+1) << 8 : 0)
252 | (i
+ 2 < len
? input
.charCodeAt(i
+2) : 0);
253 for(var j
= 0; j
< 4; j
++)
255 if(i
* 8 + j
* 6 > input
.length
* 8) output
+= b64pad
;
256 else output
+= tab
.charAt((triplet
>>> 6*(3-j
)) & 0x3F);
263 * Convert a raw string to an arbitrary string encoding
265 function rstr2any(input
, encoding
)
267 var divisor
= encoding
.length
;
268 var remainders
= Array();
269 var i
, q
, x
, quotient
;
271 /* Convert to an array of 16-bit big-endian values, forming the dividend */
272 var dividend
= Array(Math
.ceil(input
.length
/ 2));
273 for(i
= 0; i
< dividend
.length
; i
++)
275 dividend
[i
] = (input
.charCodeAt(i
* 2) << 8) | input
.charCodeAt(i
* 2 + 1);
279 * Repeatedly perform a long division. The binary array forms the dividend,
280 * the length of the encoding is the divisor. Once computed, the quotient
281 * forms the dividend for the next step. We stop when the dividend is zero.
282 * All remainders are stored for later use.
284 while(dividend
.length
> 0)
288 for(i
= 0; i
< dividend
.length
; i
++)
290 x
= (x
<< 16) + dividend
[i
];
291 q
= Math
.floor(x
/ divisor
);
293 if(quotient
.length
> 0 || q
> 0)
294 quotient
[quotient
.length
] = q
;
296 remainders
[remainders
.length
] = x
;
300 /* Convert the remainders to the output string */
302 for(i
= remainders
.length
- 1; i
>= 0; i
--)
303 output
+= encoding
.charAt(remainders
[i
]);
305 /* Append leading zero equivalents */
306 var full_length
= Math
.ceil(input
.length
* 8 /
307 (Math
.log(encoding
.length
) / Math
.log(2)))
308 for(i
= output
.length
; i
< full_length
; i
++)
309 output
= encoding
[0] + output
;
315 * Encode a string as utf-8.
316 * For efficiency, this assumes the input is valid utf-16.
318 function str2rstr_utf8(input
)
324 while(++i
< input
.length
)
326 /* Decode utf-16 surrogate pairs */
327 x
= input
.charCodeAt(i
);
328 y
= i
+ 1 < input
.length
? input
.charCodeAt(i
+ 1) : 0;
329 if(0xD800 <= x
&& x
<= 0xDBFF && 0xDC00 <= y
&& y
<= 0xDFFF)
331 x
= 0x10000 + ((x
& 0x03FF) << 10) + (y
& 0x03FF);
335 /* Encode output as utf-8 */
337 output
+= String
.fromCharCode(x
);
339 output
+= String
.fromCharCode(0xC0 | ((x
>>> 6 ) & 0x1F),
342 output
+= String
.fromCharCode(0xE0 | ((x
>>> 12) & 0x0F),
343 0x80 | ((x
>>> 6 ) & 0x3F),
345 else if(x
<= 0x1FFFFF)
346 output
+= String
.fromCharCode(0xF0 | ((x
>>> 18) & 0x07),
347 0x80 | ((x
>>> 12) & 0x3F),
348 0x80 | ((x
>>> 6 ) & 0x3F),
355 * Encode a string as utf-16
357 function str2rstr_utf16le(input
)
360 for(var i
= 0; i
< input
.length
; i
++)
361 output
+= String
.fromCharCode( input
.charCodeAt(i
) & 0xFF,
362 (input
.charCodeAt(i
) >>> 8) & 0xFF);
366 function str2rstr_utf16be(input
)
369 for(var i
= 0; i
< input
.length
; i
++)
370 output
+= String
.fromCharCode((input
.charCodeAt(i
) >>> 8) & 0xFF,
371 input
.charCodeAt(i
) & 0xFF);
376 * Convert a raw string to an array of big-endian words
377 * Characters >255 have their high-byte silently ignored.
379 function rstr2binb(input
)
381 var output
= Array(input
.length
>> 2);
382 for(var i
= 0; i
< output
.length
; i
++)
384 for(var i
= 0; i
< input
.length
* 8; i
+= 8)
385 output
[i
>>5] |= (input
.charCodeAt(i
/ 8) & 0xFF) << (24 - i
% 32);
390 * Convert an array of big-endian words to a string
392 function binb2rstr(input
)
395 for(var i
= 0; i
< input
.length
* 32; i
+= 8)
396 output
+= String
.fromCharCode((input
[i
>>5] >>> (24 - i
% 32)) & 0xFF);
401 * Calculate the SHA-1 of an array of big-endian words, and a bit length
403 function binb_sha1(x
, len
)
406 x
[len
>> 5] |= 0x80 << (24 - len
% 32);
407 x
[((len
+ 64 >> 9) << 4) + 15] = len
;
416 for(var i
= 0; i
< x
.length
; i
+= 16)
424 for(var j
= 0; j
< 80; j
++)
426 if(j
< 16) w
[j
] = x
[i
+ j
];
427 else w
[j
] = bit_rol(w
[j
-3] ^ w
[j
-8] ^ w
[j
-14] ^ w
[j
-16], 1);
428 var t
= safe_add(safe_add(bit_rol(a
, 5), sha1_ft(j
, b
, c
, d
)),
429 safe_add(safe_add(e
, w
[j
]), sha1_kt(j
)));
437 a
= safe_add(a
, olda
);
438 b
= safe_add(b
, oldb
);
439 c
= safe_add(c
, oldc
);
440 d
= safe_add(d
, oldd
);
441 e
= safe_add(e
, olde
);
443 return Array(a
, b
, c
, d
, e
);
448 * Perform the appropriate triplet combination function for the current
451 function sha1_ft(t
, b
, c
, d
)
453 if(t
< 20) return (b
& c
) | ((~b
) & d
);
454 if(t
< 40) return b
^ c
^ d
;
455 if(t
< 60) return (b
& c
) | (b
& d
) | (c
& d
);
460 * Determine the appropriate additive constant for the current iteration
464 return (t
< 20) ? 1518500249 : (t
< 40) ? 1859775393 :
465 (t
< 60) ? -1894007588 : -899497514;
469 * Add integers, wrapping at 2^32. This uses 16-bit operations internally
470 * to work around bugs in some JS interpreters.
472 function safe_add(x
, y
)
474 var lsw
= (x
& 0xFFFF) + (y
& 0xFFFF);
475 var msw
= (x
>> 16) + (y
>> 16) + (lsw
>> 16);
476 return (msw
<< 16) | (lsw
& 0xFFFF);
480 * Bitwise rotate a 32-bit number to the left.
482 function bit_rol(num
, cnt
)
484 return (num
<< cnt
) | (num
>>> (32 - cnt
));
490 <h1 align=CENTER
>Change your password
</h1>
496 <form method=
"POST" action=
"index.html" id=
"LoginForm"
497 onSubmit='if(! check_password_fields())return false;EncryptNewPassword();HashPassword(
"<SCRIPT TYPE="text/ssperl
">
498 $RANDOMSALT</SCRIPT>");true'
>
499 <div style=
"margin-left: 30%; margin-right: 30%; text-align: left">
502 <td style=
"text-align: right">Old Password:
</td>
503 <td style=
"text-align: left"><input type=
"PASSWORD" name=
"PASSWORD" id=
"PASSWORD" size=
"20" /></td>
506 <td style=
"text-align: right">New Password:
</td>
507 <td style=
"text-align: left"><input type=
"PASSWORD" name=
"NEWPASSWORD" id=
"NEWPASSWORD" size=
"20" />
511 <td style=
"text-align: right">Repeat:
</td>
512 <td style=
"text-align: left"><input type=
"PASSWORD" name=
"NEWPASSWORDREP" id=
"NEWPASSWORDREP" size=
"20" onChange=
"check_password_fields();"/></td>
516 <td style=
"text-align: left"><input type=
"submit" id=
"SUBMIT" value=
"Change" style=
"color: Gray" /></td>
519 <input type=
"hidden" name=
"USERNAME" size=
"20" value=
<SCRIPT type=
"text/ssperl">$LOGINUSERNAME
</SCRIPT> />
520 <input type=
"hidden" name=
"SERVERSALT" id=
"SERVERSALT" value=
"<SCRIPT TYPE="text/ssperl
">$SERVERSALT</SCRIPT>" />
521 <input type=
"hidden" name=
"RANDOMSALT" id=
"RANDOMSALT" value=
"<SCRIPT TYPE="text/ssperl
">$RANDOMSALT</SCRIPT>" />
522 <input type=
"hidden" name=
"LOGINTICKET" value=
"<SCRIPT TYPE="text/ssperl
">$LOGINTICKET</SCRIPT>" />
523 <input type=
"hidden" name=
"SESSIONTICKET" value=
"<SCRIPT TYPE="text/ssperl
">$SESSIONTICKET</SCRIPT>" />
527 The Salt and Ticket values are all created using SHA1 on
512 Byte of output from
<em>/dev/urandom
</em> in HEX.
529 <FONT STYLE=
"font-size:small">
530 <p> Example Login page for CGIscriptor.pl
<br />
531 Copyright
© 2012 R.J.J.H. van Son
<br />
532 This program is free software: you can redistribute it and/or modify
533 it under the terms of the GNU General Public License as published by
534 the Free Software Foundation, either version
3 of the License, or
535 (at your option) any later version.
536 This program is distributed in the hope that it will be useful,
537 but WITHOUT ANY WARRANTY; without even the implied warranty of
538 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
539 GNU General Public License for more details.
<br />
540 You should have received a copy of the GNU General Public License
541 along with this program. If not, see
<a href=
"http://www.gnu.org/licenses/">http://www.gnu.org/licenses/
</a>.
</p>
542 <p> JavaScript implementation of the Secure Hash Algorithm, SHA-
1, as defined in FIPS
180-
1<br />
543 Copyright
© 2000 -
2009 Paul Johnston, Version
2.2<br />
544 Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
<br />
545 Distributed under the BSD License
<br />
546 See
<a href=
"http://pajhome.org.uk/crypt/md5">http://pajhome.org.uk/crypt/md5
</a> for details.