Hi! I just saw this posting. I would appreciate if someone can help me understand what is the problem being discussed here. AS far as I know, it is only after user log in can he or she change his or her password. There is no searching function within the mod itself so I don't see how the user can change the password of the admin. But I may be wrong.

Julian

If the user put in "admin" or the admin's email, it changes the admin's password and emails the admin with the new password.

Everything is still secure, but the admin's password just got changed to a new random password because the user typed in admin or the admin email.

I just came across a script that does the following:
1) When the user first register for an account, he must fill in a field called verification. This field would contain a hint to the password that he or she is using.
2) If the user fogets his password and trys to use the password lookup mod, in addition to entering his email address or userid, he must also enter the verification word before the script would email a new password to him.

I was just wondering whether this would be better in preventing someone from changing the admin's password.

Please give your views on this. Thanks.

Julian

Well, that's probably not necessary now that this newer addition denies a user from looking up someone with the admin permission. That's what JPDeni and I just got finished working on.

Is this new mod you have done available?

Yep! Here is the final mod to the mod that prevents looking up a user with admin permissions.

Use this:
http://www.jpdeni.com/...semi_secure_look.txt


Then in sub lookup, find this section, and replace it with this:

open (PASS, "<$auth_pw_file") or &cgierr ("unable to open: $auth_pw_file.\nReason: $!");
if ($db_use_flock) { flock(PASS, 1) }
@passlines = <PASS>;
close PASS;
foreach $passline (@passlines) {
if ($passline =~ /^$data[0]:/) {
$passfound = $passline;
chomp $passline;
@data2 = split /:/, $passline;
if ($data2[6]) {
&html_lookup_form("Not authorized to lookup $in{'lookup'}");
return;
}
}
else {
$output .= $passline;
}
}

Well, I tested out the "fix" and I discover that I can't request for a new password no matter what I enter. This means that even if I key in an email address or a userid that is not admin, it still gives me the error message that "Not authorized to lookup for xxxx". I have included the subroutine for the mod below. By the way, my userid is the same as my db_key and it is field number 0. My email address is field number 2.

Thanks.

sub lookup {
# --------------------------------------------------------
my $found = 0;
my $passfound = 0;
my ($line,@lines,$passline,@passlines,$message,@passdata,$outline);
open (DB, "<$db_file_name") or &cgierr("error in lookup. unable to open db file: $db_file_name.\nReason: $!");
if ($db_use_flock) { flock(DB, 1); }
@lines = <DB>;
close DB;
foreach $line (@lines) {
chomp $line;
@data = &split_decode($line);
if ((lc($in{'lookup'}) eq lc($data[2])) or ($in{'lookup'}eq $data[0])) {
$found=1;
last;
}
}
unless ($found) {
&html_lookup_form("No record found for $in{'lookup'}");
return;
}

open (PASS, "<$auth_pw_file") or &cgierr ("unable to open: $auth_pw_file.\nReason: $!");
if ($db_use_flock) { flock(PASS, 1) }
@passlines = <PASS>;
close PASS;
foreach $passline (@passlines) {
if ($passline =~ /^$data[0]:/) {
$passfound = $passline;
@data2 = split /:/, $passline;
if ($data2[6]) {
&html_lookup_form("Not authorized to lookup $in{'lookup'}");
return;
}
}
else {
$output .= $passline;
}
}
unless ($passfound) {
&html_lookup_form("$data[0] not found in password file");
return;
}

my $password = &generate_password;

srand( time() ^ ($$ + ($$ << 15)) ); # Seed Random Number
my @salt_chars = ('A' .. 'Z', 0 .. 9, 'a' .. 'z', '.', '/');
my $salt = join '', @salt_chars[rand 64, rand 64];
my $encrypted = crypt($password, $salt);

chomp $passfound;
@passdata = split (/:/, $passfound);

@passdata[1] = $encrypted;
$outline = join ':',@passdata;
$output .= $outline . "\n";

open (PASS, ">$auth_pw_file") or &cgierr ("unable to open: $auth_pw_file.\nReason: $!");
if ($db_use_flock) {
flock(PASS, 2) or &cgierr("unable to get exclusive lock on $auth_pw_file.\nReason: $!");
}
print PASS $output;
close PASS;

$mailtext = "To: $rec{$db_email_field}\n";
$mailtext .= "From: $admin_email\n";
$mailtext .= "Subject: $db_name Account Information\n\n";
$mailtext .= "-" x 60 . "\n\n";

$mailtext .= "You requested your $db_name account information:\n\n";

$mailtext .= "Your $db_name Student/InstructorID is: $data[$auth_user_field]\n";
$mailtext .= "Your $db_name password is: $password\n\n";

$mailtext .= "please contact $db_name support at: $admin_email\n";
$mailtext .= "if you have any questions.\n\n";
$mailtext .= "Please note that the new password sent to you is not the original one.\n\n";

if ($db_debug) { $message = $mailtext; }
else {
open (MAIL, "$mailprog") || &cgierr ("Can't start mail program");
print MAIL $mailtext;
close (MAIL);
}
&html_lookup_success($message);
}


Julian