Author Topic: hMailServer+internal MySQL+RoundCube0.1RC2+change password patch  (Read 9557 times)

Offline tangaishi

  • Newbie
  • *
  • Posts: 4
hMailServer+internal MySQL+RoundCube0.1RC2+change password patch
« on: December 22, 2007, 03:54:35 AM »

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,568
    • http://SKaero.com/
Re: hMailServer+internal MySQL+RoundCube0.1RC2+change password patch
« Reply #1 on: December 22, 2007, 07:20:06 PM »
Nice plug-in! Thanks for the post!

Offline MHOS

  • Newbie
  • *
  • Posts: 5
Re: hMailServer+internal MySQL+RoundCube0.1RC2+change password patch
« Reply #2 on: January 01, 2008, 09:11:22 PM »
Hello everyone,

First off Thank you for making this plugin and Thank you to the Entire RoundCube Staff.
I see alot of potential within these codes.

I'm running Windows 2000 with hMailServer using an External install of MySQL with the Latest stable version of RoundCube.
I have edited all of the files that needed to be edited and eveyting seemed to work fine untill I try to change my password.

I logged into a test account and went to the password tab typed the old password in and then the new password twice.
It comes up with the green box stating Successfully Saved.
I then logged out and closed my web browser.
Reopened my web browser and went to my RoundCube page. Tryed to login with the new password but the password was not changed.
I would relay like to get this working. I'm running a website for the Virginia Beach Elk's Lodge #2268 and trying to bring them to the 21 century.
I made a back up of all the files that needed to be edited and manualy edited the files that were listed in this post.
After I manualy edited the files and could not get it to work. I decided to try the files in the attachment.

I'm still having no luck with changing the password. I would realy like to get this working so I can setup accounts with a temp password then have the users change them when they login.

Thanks for the read and keep up the good work! ;)


..:::EDIT:::..

Do I need Cpanel or any other admin tools to do this?

Offline tangaishi

  • Newbie
  • *
  • Posts: 4
Re: hMailServer+internal MySQL+RoundCube0.1RC2+change password patch
« Reply #3 on: January 02, 2008, 10:51:42 PM »
I'm afraid that you must debug it yourself.

maybe you meet a sql error, add one line “log=d:\hMailServer\MySQL\mysql.log” to your MySQL config file and you'll see many logs.

after you click "save" new password, open your sql log file and scroll to the end of the file. then scroll up, you'll find the recently "UPDATE hmailserver.hm_accounts SET accountpassword= md5 ........." query.

copy it to your phpMyAdmin or MySQL cmd and run it, you'll get some prompt and see the accountpassword section changed or not.

I guess that your use a External MySQL and the default hmailserver.hm_accounts db name was changed by you, so you must change it to the real db name in this patch.

good luck! :)

Offline MHOS

  • Newbie
  • *
  • Posts: 5
Re: hMailServer+internal MySQL+RoundCube0.1RC2+change password patch
« Reply #4 on: January 03, 2008, 06:50:47 PM »
Thank you so much for the reply.

I was thinking that might be the problme. When I created the DB I named it webmail.

I changed it in the command and it worked.
Code: [Select]
$sql_query = " UPDATE webmail.hm_accounts SET accountpassword= md5(\"$newpasswd\") WHERE accountaddress = \"" . $_SESSION['username'] . "\" AND accountpassword = md5(\"$curpasswd\")" ;

Thank you for the help.
 :D

Offline tangaishi

  • Newbie
  • *
  • Posts: 4
Re: hMailServer+internal MySQL+RoundCube0.1RC2+change password patch
« Reply #5 on: January 03, 2008, 08:55:42 PM »
naming mta db as webmail is not a good idea, hMailServer is not a webmail, but a mta, RoundCube is webmail.

hMailServer should fill in the default db name with hmailserver when user chose use a external database, so it's more stronger and compatible for webmail.

Offline MHOS

  • Newbie
  • *
  • Posts: 5
Re: hMailServer+internal MySQL+RoundCube0.1RC2+change password patch
« Reply #6 on: January 04, 2008, 04:51:02 PM »
Hey tangaishi,

Thanks for the advise. Ill change it back to the default.
When I set this up in the beginning it was just to test hMailServer.

Offline valqk

  • Newbie
  • *
  • Posts: 4
Re: hMailServer+internal MySQL+RoundCube0.1RC2+change password patch
« Reply #7 on: January 11, 2008, 05:58:29 AM »
Hi guys,
thanks for the great help, would have took me a day to trace the framework.

I'm using postfix admin (pfa, pfadmin) for administration and postgresql (pgsql,postgres) for database.
I have scheme webmail. and postfix. so I can easy change my pass(no need of external db connection).

here is the function that changes the pass:

/*
//works only with md5crypt type encryption set from postfixadmin. for other types, please check the crypt() part below.
My postfix table for the users is in another pg schema, so I simply add rights to the webmail user to make updates there.
This code is easy modifiable to make a new connection to other db/server and use it to change pass.
Please take a look to the select/update queries because this probably won't work for you.
GRANT SELECT,UPDATE on postfix.mailbox to webmail;
*/
function rcmail_save_passwd($curpasswd, $newpasswd)
{
 global $CONFIG, $_SESSION, $DB,$pfaencrypt;

 $dbcPass = $DB->query('SELECT password FROM postfix.mailbox WHERE username=' . $DB->quote($_SESSION['username']));
 $dbcPass = $DB->fetch_array($dbcPass);
 $dbcPass = $dbcPass[0];
 $sql_query = " UPDATE postfix.mailbox SET password= " . $DB->quote(crypt($newpasswd))
          . " WHERE username = " . $DB->quote($_SESSION['username'])
              . " AND password = " . $DB->quote(crypt($curpasswd,$dbcPass));
  $sql_result = $DB->query($sql_query);
  if ($DB->affected_rows())
  {
  $_SESSION['password'] = encrypt_passwd($newpasswd);
  }
 return($DB->affected_rows());
}

Offline Panther256

  • Newbie
  • *
  • Posts: 1
Re: hMailServer+internal MySQL+RoundCube0.1RC2+change password patch
« Reply #8 on: February 02, 2008, 07:10:17 PM »
(FYI)

We had an issue with the hack when using multiple domains. The appended domain would use username@mail.domain.com and the hack could not update the database. (Related to using full email as a login as opposed to just the part before the @ sign)

We edited the password.inc file and added the following line before the SQL statement:

 $chk_host = str_ireplace("mail.","",$_SESSION['username']);

and replaced the $_SESSION['username'] with our variable $chk_host in the SQL build.

Works for us now....

Offline claud43

  • Newbie
  • *
  • Posts: 3
Re: hMailServer+internal MySQL+RoundCube0.1RC2+change password patch
« Reply #9 on: February 26, 2008, 12:39:05 AM »
It is possible to control an incorrect password. Example: If the password is not the same as the mysql responds error.

thanks

Offline tangaishi

  • Newbie
  • *
  • Posts: 4
Re: hMailServer+internal MySQL+RoundCube0.1RC2+change password patch
« Reply #10 on: February 26, 2008, 01:39:14 AM »
in fact I don't think it's necessary to classify the errors, if your system run correctly, the only possible of error is incorrect inputted password.