Change password postfix+courier+mysql

Dexterp37 · February 11, 2009, 03:27:53 AM

I've successfully modded 0.2-beta to support mysql+postfix password hack. I'm applying that to 0.2-stable this morning and will post a patch file and a tutorial once done

Lukather · February 13, 2009, 08:33:58 AM

Quote from: Dexterp37;16968I've successfully modded 0.2-beta to support mysql+postfix password hack. I'm applying that to 0.2-stable this morning and will post a patch file and a tutorial once done

Hi Dexter , is possible get your patch for 0.2 stable version ? , I need to do a update for my webmail and the patch is very important to me.

Thanks for your time.
bye.

Dexterp37 · February 13, 2009, 02:59:34 PM

That's the updated tutorial which makes the hack work on rc 0.2stable

Updated Tutorial

Lukather · February 14, 2009, 11:48:36 AM

Quote from: Dexterp37;17033That's the updated tutorial which makes the hack work on rc 0.2stable

Updated Tutorial

Many Thanks Dexterp37

Based on your modification , I introduce "some little changes" for compatibility with the howto from HowtoForge - Linux Howtos and Tutorials (Falko Timme) about virtual users.

In save_prefs.inc , after the "foreach ((array)$CONFIG['dont_override'] as $p)" near line 39, add the following block

// Password MOD
if (isset($_POST['_password']))
{
$tmpEncPass = $_POST['_password'];
mysql_query("UPDATE mail.users SET password = ENCRYPT('".$tmpEncPass."') WHERE email = '".$_SESSION['username']."'")
or die(mysql_error());

$_SESSION['password'] = $RCMAIL->encrypt_passwd($_POST['_password']);
}
// End Password MOD

// where "mail" is the database and "users" the table.

If your prefer , download the func.inc and the save_prefs.inc to 0.2 stable version (virtual users from Falko Timme , howtoforge.com) from http://www.opensynapse.cl/solutions/pass-files.tar.gz

Thanks.

Dexterp37 · February 15, 2009, 10:55:46 AM

Thank you for your changes

Lukather · February 16, 2009, 08:29:03 AM

Hey , a little bug ocurred when the password field is blank (and you save other options). The result is blank password.

Please modify :

if ($_POST['_password'])
{

// Password MOD
if (isset($_POST['_password']))
{
$tmpEncPass = $_POST['_password'];
mysql_query("UPDATE mail.users SET password = ENCRYPT('".$tmpEncPass."') WHERE email = '".$_SESSION['username']."'")
or die(mysql_error());

$_SESSION['password'] = $RCMAIL->encrypt_passwd($_POST['_password']);
}
// End Password MOD
}
// where "mail" is the database and "users" the table.

Update files , on my server.

Thanks

Dexterp37 · February 17, 2009, 09:45:20 AM

Thank you for the fix! I just updated the tutorial

ThanhBT · February 21, 2009, 11:16:21 AM

i got this err

Code Select

UPDATE command denied to user 'roundcube'@'localhost' for table 'users'
Anyone help me?

ThanhBT · February 21, 2009, 11:21:36 AM

I found reason!
DB Roundcube # DB users

Grant permission Roundcube users to DB users to resolve/.

drewpydraws · February 21, 2009, 10:12:29 PM

Thanks for this. Thought I would share my little tweak of the safe_prefs.inc file. This let's you specify the minimum number of characters and makes sure they aren't setting the password to only whitespace.

// Password MOD drew
if (isset($_POST['_password']) && !empty($_POST['_password']))
{
    $tmpEncPass = $_POST['_password'];
    if(strlen($tmpEncPass)>6)
    {
        mysql_query("UPDATE mail.users SET password = ENCRYPT('".$tmpEncPass."') WHERE email = '".$_SESSION['username']."'")
        or die(mysql_error());

        $_SESSION['password'] = $RCMAIL->encrypt_passwd($_POST['_password']);
    }
    else
    {
        $OUTPUT->show_message('errorsaving', 'error');
        $passwordError=TRUE;
    }
}
// End Password MOD

Then wrap the rest of the file in
if(!$passwordError)
{
// the rest of the code.
}

juliomoraes · March 31, 2009, 03:32:04 PM

Hey folks

,

I need to configure tihs line:confused::

mysql_query("UPDATE CCC.TableWithPasswordHERE SET password = '".$tmpEncPass."' WHERE username = '".$_SESSION['username']."'")

Anyone can show me a exemple more compreensive? I´m not a programmer, only a designer

and have no sufficient knowledgement about SQl queries...

Thanks!

ddimick · May 15, 2009, 05:31:33 PM

I modified drewpydraws version to do two things:

1) Use the password input field type instead of text to prevent the password from displaying on the screen.
2) Add a second password field to ensure the users doesn't typo their password when entering it.

Probably could tighten it up a bit more but hopefully you get the idea.

save_prefs.inc

// Password MOD
if (isset($_POST['_password']) && isset($_POST['_password2'])) {

  if (($_POST['_password'] == $_POST['_password2']) && strlen($_POST['_password']) > 4) {
    $tmpEncPass = $_POST['_password'];
    mysql_query("UPDATE mail.users SET crypt = ENCRYPT('".$tmpEncPass."', \"<encrypt salt>\") WHERE email = '".$_SESSION['username']."'") or die(mysql_error());
    $_SESSION['password'] = $RCMAIL->encrypt_passwd($_POST['_password']);
  } else {
    $passwordError = TRUE;
    $OUTPUT->show_message('errorsaving', 'error');
  }
}
// End Password MOD

As per drewpydraws instructions, the rest of the code in save_prefs.inc is encapsulated in an if statement to prevent it from executing if something is wrong with the passwords.

if(!$passwordError)
{
// the rest of the code.
}

func.inc

// Password MOD
$field_id = 'rcmfd_password';
$field_id = 'rcmfd_password2';
$input_password = new html_passwordfield(array('name' => '_password', 'id' => $field_id, 'size' => 20));
$input_password2 = new html_passwordfield(array('name' => '_password2', 'id' => $field_id, 'size' => 20));

$table->add('title', html::label($field_id, /*Q(rcube_label('skin'))*/ 'Password'));
$table->add('title', html::label($field_id, /*Q(rcube_label('skin'))*/ 'Re-Type Password'));
$table->add(null, $input_password->show());
$table->add(null, $input_password2->show());
// End Password MOD

Lastly, it took me a few minutes to remember that the roundcube MySQL user didn't have any privileges to my mail user database, so had to grant select and update. So, uh, don't forget to do that.

ddimick · May 15, 2009, 07:43:32 PM

As a small addendum, this is probably unsecure code and you shouldn't use it in a production environment. I don't know Roundcube well enough to understand if any sanitization of the password input field/MySQL query is being done and may be possible for a user to do things not intended (or desired) by you.

Just saying.

sekundek · June 01, 2009, 02:36:35 AM

I just want to add this about insecure code. If all of you are using this change, than you're all vulnerable to big exploit. I created a small patch for version 0.2.2 with using PDO module. If anyone like to test it, let me know and i'll paste it here.