Author Topic: Password change: rehack for dbmail  (Read 8378 times)

Offline mgb

  • Newbie
  • *
  • Posts: 1
Password change: rehack for dbmail
« on: December 21, 2006, 11:29:44 AM »
This is a simple password change for http://dbmail.org/ users

I used the fine hack http://roundcubeforum.net/forum/index.php?topic=711.0 as a base.
But I changed the function rcmail_save_passwd in program/step/settings/passwd.inc like this

Code: [Select]
function rcmail_save_passwd($curpasswd, $newpasswd){
 global $CONFIG, $_SESSION, $DB;
 
  $sql_result = $DB->query('SELECT userid,passwd,encryption_type FROM '.$CONFIG['db_dbmail_user_table'].' WHERE userid = \''.$_SESSION['username'].'\' LIMIT 1');
 if($DB->num_rows($sql_result)) {
  $sql_arr = $DB->fetch_assoc($sql_result);
  if($sql_arr['encryption_type'] == 'md5sum') {
   if($sql_arr['passwd'] == md5($curpasswd)) {
    $DB->query('UPDATE '.$CONFIG['db_dbmail_user_table'].' SET passwd = \''.md5($newpasswd).'\' WHERE userid = \''.$_SESSION['username'].'\'');
    return true;
   } else {
    return false;
   }
  } else {
   return false;
  }
 } else {
  return false;
 }
}

I also added in config/db.inc.php
Code: [Select]
//dmail database
$rcmail_config['db_dbmail_user_table'] = 'dbmail.dbmail_users';

I have my dbmail tables in a database called dbmail and roundcube in ... You guessed it: the roundcube database : :o

Therefore I also had to allow my user to select in the dbmail database like so
Code: [Select]
GRANT SELECT,UPDATE ON dbmail.dbmail_users TO 'roundcube'@'localhost' IDENTIFIED BY 'secret';

It's not a pretty hack, but it works.
Oh and one last thing. When inserting users into the dbmail system with the dbmail-users you should use the -p flag with md5-digest otherwise the users attepts to change their password will be futile ;)

I hope it will be useful to some?

Offline fmin23

  • Newbie
  • *
  • Posts: 1
Re: Password change: rehack for dbmail
« Reply #1 on: July 02, 2007, 10:10:36 PM »
Ok, I changed one line in the code, and the resulting code is below. The new line is "$_SESSION['password'] = encrypt_passwd($newpasswd);" and this allows for the session to stay valid. Failure to do so results in the user being locked out until they either clear their cookies or exit/relaunch their browser.

The code works great otherwise! I downloaded the base RC1 and the cPanel 10 patch and ran 'dos2unix' on them and then 'diff' to find where the differences lie. This allowed me to apply these changes to the latest SVN build to take advantage of TinyMCE and other new features. Next time I go through this process I may try to make a patch file available to make this process easier, however there are only a handful of files to edit.

Now if only I had the knowhow and/or motivation to make a drop-in replacement for the ilohamail imap library that can read the messages and do searches by performing queries directly on the dbmail database. It is a shame there does not seem to be a lot of dbmail users even though it is such a quick, efficient way to handle email.

Code: [Select]
function rcmail_save_passwd($curpasswd, $newpasswd){
 global $CONFIG, $_SESSION, $DB;

 $sql_result = $DB->query('SELECT userid,passwd,encryption_type FROM '.$CONFIG['db_dbmail_user_table'].' WHERE userid = \''.$_SESSION['username'].'\' LIMI$
 if($DB->num_rows($sql_result)) {
  $sql_arr = $DB->fetch_assoc($sql_result);
  if($sql_arr['encryption_type'] == 'md5sum') {
   if($sql_arr['passwd'] == md5($curpasswd)) {
    $DB->query('UPDATE '.$CONFIG['db_dbmail_user_table'].' SET passwd = \''.md5($newpasswd).'\' WHERE userid = \''.$_SESSION['username'].'\'');
    $_SESSION['password'] = encrypt_passwd($newpasswd);
    return true;
   } else {
    return false;
   }
  } else {
   return false;
  }
 } else {
  return false;
 }
}