I got and installed the new function that allows users to change their own passwords. The "html.pl" changes have a problem in this area:

my $found = 0;
foreach $line (@lines) {
if ($line =~ /^$db_userid:/) {
($username,$password,@rest) = split(/:/,$line);
if ($password ne $in{'oldpass'}) {
&html_change_password("Your old password is incorrect.");
return;

The $password is ENCRYPTED text while the $in{'oldpass'} is CLEAR text. Did I miss something? or it would appear that two things need to be added. 1) Decrypt $password before comparing to the "used supplied" old password then compare. 2) If they match then the "new user supplied password" needs to be encrypted before changing the password database.

The other BIG problem I encountered was that because the password comparies were failing I would get an error dialog. Not so bad but then I found that the password db no longer contained my user login info at all.

TIA, Bob Bryant

Yes. I just realized that today. I'm going to remove the link to the change password mod for the moment until I get it worked out.

Sorry.



------------------
JPD

JPD! Tsk tsk tsk!

Well, if it helps any, I found the password protection script on cgi.elitehost.com a great help in figuring out password stuff. One other point, and I think you know this already but Bob mightn't, you can only encrypt passwords, you can't decrypt them.

Sorry if I'm sticking me nose in where it's not wanted!

adam

Thanks for the response,

I did learn about how to troubleshoot broken scripts :-) If I have time this weekend I'll look into how to make the CRYPT calls.

Regards, Bob

Hi Adam,

As I composeing my reply your post came in.
Thanks for the info on the web site. I saw a post from Larry McPhail which explians how
the password compareision might be done:
Crypt is a one-way function (at least in perl). The following is from the perlfunc manpages:


So it would seem that 1. Call CRYPT with the seed and clear password. 2. Compare the resulting encoded pw with the pw in the pass file. 3. If the match, call CRYPT with the new password and a seed. 4. Replace the pw in the pass file with the result. 5. if the don't match, retry!

Thanks all, Bob

The problem is that I wrote the modification to change the password for a script that also had the password lookup mod installed. I forgot about the encryption that was required if you didn't have the password lookup.

What I'm going to have to do, as soon as I can, is make two versions of the script -- one for password lookup and one for when you don't have it.

Regarding encryption, look at the db.cgi script. There's encryption all over the place.


------------------
JPD