Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 22nd November 2010, 16:48
j.smith1981 j.smith1981 is offline
Member
 
Join Date: Nov 2008
Posts: 63
Thanks: 0
Thanked 3 Times in 3 Posts
Question This page request could not be verified and appears to have expired. (Squirrelmail)

Hi there,

I have tried this 6 times in the past and always given up just at the thought I might get around to this but I thought I would ask here for now see if anyone else has had this problem?

What I did was go through the virtual hosts of email using postix and stuff here's the link to the tutorial I was going through:
http://www.howtoforge.com/virtual-us...os-4.8-i386-p2

Anyways when it comes to the change_sqlpass yea? the plugin I mean.

I have the following in '/usr/share/squirrelmail/plugins/change_sqlpass/config.php':

Quote:
<?php

/**
* SquirrelMail Change SQL Password Plugin
* Copyright (C) 2001-2002 Tyler Akins
* 2002 Thijs Kinkhorst <kink@users.sourceforge.net>
* 2002-2005 Paul Lesneiwski <paul@openguild.net>
* This program is licensed under GPL. See COPYING for details
*
* @package plugins
* @subpackage Change SQL Password
*
*/


// Global Variables, don't touch these unless you want to break the plugin
//
global $csp_dsn, $password_update_queries, $lookup_password_query,
$force_change_password_check_query, $password_encryption,
$csp_salt_query, $csp_salt_static, $csp_secure_port,
$csp_non_standard_http_port, $csp_delimiter, $csp_debug,
$min_password_length, $max_password_length, $include_digit_in_password,
$include_uppercase_letter_in_password, $include_lowercase_letter_in_password,
$include_nonalphanumeric_in_password;



// csp_dsn
//
// Theoretically, any SQL database supported by Pear should be supported
// here. The DSN (data source name) must contain the information needed
// to connect to your database backend. A MySQL example is included below.
// For more details about DSN syntax and list of supported database types,
// please see:
// http://pear.php.net/manual/en/packag....intro-dsn.php
//
// $csp_dsn = 'mysql://userassword@localhost/email_users';
$csp_dsn = 'mysql://mail_admin:<MySQL/Password>@localhost/mail';

// sorry with regards to this part, I have a password plain text/ apart from 2 symbols just 2 forward slashes like this // and thats it, could this be the problem?



// lookup_password_query
//
// This plugin will always verify the user's old password
// against their login password, but an extra check can also
// be done against the database for more security if you
// desire. If you do not need the extra password check,
// make sure this setting is empty.
//
// This is a query that returns a positive value if a user
// and password pair are found in the database.
//
// This query should return one value (one row, one column), the
// value being ideally a one or a zero, simply indicating that
// the user/password pair does in fact exist in the database.
//
// %1 in this query will be replaced with the full username
// (including domain), such as "jose@example.com"
// %2 in this query will be replaced with the username (without
// any domain portion), such as "jose"
// %3 in this query will be replaced with the domain name,
// such as "example.com"
// %4 in this query will be replaced with the current (old)
// password in whatever encryption format is needed per other
// plugin configuration settings (Note that the syntax of
// the password will be provided depending on your encryption
// choices, so you NEVER need to provide quotes around this
// value in the query here.)
// %5 in this query will be replaced with the current (old)
// password in unencrypted plain text. If you do not use any
// password encryption, %4 and %5 will be the same values,
// except %4 will have double quotes around it and %5 will not.
//
//$lookup_password_query = '';
// TERRIBLE SECURITY: $lookup_password_query = 'SELECT count(*) FROM users WHERE username = "%1" AND plain_password = "%5"';
// $lookup_password_query = 'SELECT count(*) FROM users WHERE username = "%1" AND crypt_password = %4';
$lookup_password_query = 'SELECT count(*) FROM users WHERE email = "%1" AND password = %4';



// password_update_queries
//
// An array of SQL queries that will all be executed
// whenever a password change attempt is made.
//
// Any number of queries may be included here.
// The queries will be executed in the order given here.
//
// %1 in all queries will be replaced with the full username
// (including domain), such as "jose@example.com"
// %2 in all queries will be replaced with the username (without
// any domain portion), such as "jose"
// %3 in all queries will be replaced with the domain name,
// such as "example.com"
// %4 in all queries will be replaced with the new password
// in whatever encryption format is needed per other
// plugin configuration settings (Note that the syntax of
// the password will be provided depending on your
// encryption choices, so you NEVER need to provide quotes
// around this value in the queries here.)
// %5 in all queries will be replaced with the new password
// in unencrypted plain text - BEWARE! If you do not use
// any password encryption, %4 and %5 will be the same
// values, except %4 will have double quotes around it
// and %5 will not.
//
$password_update_queries = array(
'UPDATE users SET password = %4 WHERE email = "%1"',
// 'UPDATE user_flags SET force_change_pwd = 0 WHERE username = "%1"',
// 'UPDATE users SET crypt_password = %4, force_change_pwd = 0 WHERE username = "%1"',
);



// force_change_password_check_query
//
// A query that checks for a flag that indicates if a user
// should be forced to change their password. This query
// should return one value (one row, one column) which is
// zero if the user does NOT need to change their password,
// or one if the user should be forced to change it now.
//
// This setting should be an empty string if you do not wish
// to enable this functionality.
//
// %1 in this query will be replaced with the full username
// (including domain), such as "jose@example.com"
// %2 in this query will be replaced with the username (without
// any domain portion), such as "jose"
// %3 in this query will be replaced with the domain name,
// such as "example.com"
//
//$force_change_password_check_query = 'SELECT IF(force_change_pwd = "yes", 1, 0) FROM users WHERE username = "%1"';
//$force_change_password_check_query = 'SELECT force_change_pwd FROM users WHERE username = "%1"';
$force_change_password_check_query = '';



// password_encryption
//
// What encryption method do you use to store passwords
// in your database? Please use one of the following,
// exactly as you see it:
//
// NONE Passwords are stored as plain text only
// MYSQLPWD Passwords are stored using the MySQL password() function
// MYSQLENCRYPT Passwords are stored using the MySQL encrypt() function
// PHPCRYPT Passwords are stored using the PHP crypt() function
// MD5CRYPT Passwords are stored using encrypted MD5 algorithm
// MD5 Passwords are stored as MD5 hash
//
// $password_encryption = 'MYSQLPWD';
$password_encryption = 'MYSQLENCRYPT';



// csp_salt_query
// csp_salt_static
//
// Encryption types that need a salt need to know where to get
// that salt. If you have a constant, known salt value, you
// should define it in $csp_salt_static. Otherwise, leave that
// value empty and define a value for the $csp_salt_query.
//
// Leave both values empty if you do not need (or use) salts
// to encrypt your passwords.
//
// The query should return one value (one row, one column) which
// is the salt value for the current user's password. This
// query is ignored if $csp_salt_static is anything but empty.
//
// %1 in this query will be replaced with the full username
// (including domain), such as "jose@example.com"
// %2 in this query will be replaced with the username (without
// any domain portion), such as "jose"
// %3 in this query will be replaced with the domain name,
// such as "example.com"
//
//$csp_salt_static = 'LEFT(crypt_password, 2)';
//$csp_salt_static = '"a4"'; // use this format with MYSQLENCRYPT
//$csp_salt_static = '$2$blowsomefish$'; // use this format with PHPCRYPT
$csp_salt_static = 'LEFT(password, 2)';

//$csp_salt_query = 'SELECT SUBSTRING_INDEX(crypt_password, '$', 1) FROM users WHERE username = "%1"';
//$csp_salt_query = 'SELECT SUBSTRING(crypt_password, (LENGTH(SUBSTRING_INDEX(crypt_password, '$', 2)) + 2)) FROM users WHERE username = "%1"';
// $csp_salt_query = 'SELECT salt FROM users WHERE username = "%1"';
//$csp_salt_query = '';



// csp_secure_port
//
// You may ensure that SSL encryption is used during password
// change by setting this to the port that your HTTPS is served
// on (443 is typical). Set to zero if you do not wish to force
// an HTTPS connection when users are changing their passwords.
//
// You may override this value for certain domains, users, or
// service levels through the Virtual Host Login (vlogin) plugin
// by setting a value(s) for $vlogin_csp_secure_port in the vlogin
// configuration.
//
$csp_secure_port = 0;
//$csp_secure_port = 443;



// csp_non_standard_http_port
//
// If you serve standard HTTP web requests on a non-standard
// port (anything other than port 80), you should specify that
// port number here. Set to zero otherwise.
//
// You may override this value for certain domains, users, or
// service levels through the Virtual Host Login (vlogin) plugin
// by setting a value(s) for $vlogin_csp_non_standard_http_port
// in the vlogin configuration.
//
//$csp_non_standard_http_port = 8080;
$csp_non_standard_http_port = 0;



// min_password_length
// max_password_length
// include_digit_in_password
// include_uppercase_letter_in_password
// include_lowercase_letter_in_password
// include_nonalphanumeric_in_password
//
// You can set the minimum and maximum password lengths that
// you accept or leave those settings as zero to indicate that
// no limit should be applied.
//
// Turn on any of the other settings here to check that the
// new password contains at least one digit, upper case letter,
// lower case letter and/or one non-alphanumeric character.
//
$min_password_length = 6;
$max_password_length = 0;
$include_digit_in_password = 0;
$include_uppercase_letter_in_password = 0;
$include_lowercase_letter_in_password = 0;
$include_nonalphanumeric_in_password = 0;



// csp_delimiter
//
// if your system has usernames with something other than
// an "@" sign separating the user and domain portion,
// specify that character here
//
//$csp_delimiter = '|';
$csp_delimiter = '@';



// debug mode
//
$csp_debug = 0;



?>
What the problem is this:

Quote:
This page request could not be verified and appears to have expired.
When I attempt to actually change the password (using the correct old password and entering a new one when logged into squirrelmail, it comes up with this message above.

Now I have looked in my error logs and can confirm the error I get in there is allot more descriptive but I dont know what to do!:

Quote:
PHP Notice: Undefined variable: csp_non_standard_http_port in /usr/share/squirrelmail/plugins/change_sqlpass/functions.php on line 936
Any ideas?

I am probably sure its been done somewhere else but I just couldnt find it for some weird reason

Thanks and I look forward to any replies,
Jeremy
Reply With Quote
Sponsored Links
  #2  
Old 23rd November 2010, 15:11
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,721 Times in 2,562 Posts
Default

Yes, I think your MySQL password could be the problem. Maybe you can change it to use just normal characters.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 23rd November 2010, 15:52
j.smith1981 j.smith1981 is offline
Member
 
Join Date: Nov 2008
Posts: 63
Thanks: 0
Thanked 3 Times in 3 Posts
Question

Ah thats got rid of the session problem but this has occured:

Quote:

[Tue Nov 23 14:48:19 2010] [error] [client ] File does not exist: /usr/share/squirrelmail/config/_, referer: /webmail/src/redirect.php

[Tue Nov 23 14:48:22 2010] [error] [client ] File does not exist: /usr/share/squirrelmail/config/_, referer: /webmail/src/login.php
Hmm bit weird, but I did copy the UPDATED password (sorry doing sql commands there lol), but I did copy in the updated password into the config.php so it cant be that, any ideas?

Thanks in advance again,
Jeremy.

Last edited by j.smith1981; 23rd November 2010 at 15:57.
Reply With Quote
  #4  
Old 24th November 2010, 14:32
j.smith1981 j.smith1981 is offline
Member
 
Join Date: Nov 2008
Posts: 63
Thanks: 0
Thanked 3 Times in 3 Posts
Question

Right thats because I didnt update my password, in the imap server (wont say what as I would have to trail back through what I did lol).

Thanks for the tip though!

But now its come up with the following annoying web http based error:
Quote:
Your old password is not correct
What I did was go into my server for mysql, copied what I typed in for the old password and used a text editor for my new password and pasted it in.

So I know this isnt right at all any ideas?

I have actually copied in the server logs in http for errors and it comes up with these errors:
Quote:
[Wed Nov 24 13:21:10 2010] [error] [client ] PHP Notice: Undefined variable: charset in /usr/share/squirrelmail/functions/mime.php on line 317, referer:

[Wed Nov 24 13:21:10 2010] [error] [client ] PHP Notice: Undefined variable: charset in /usr/share/squirrelmail/functions/mime.php on line 317, referer:

[Wed Nov 24 13:21:10 2010] [error] [client ] PHP Notice: Undefined variable: charset in /usr/share/squirrelmail/functions/mime.php on line 317, referer: http://www.example.co.uk/webmail/src...startMessage=1

[Wed Nov 24 13:23:24 2010] [error] [client ] PHP Notice: Undefined variable: csp_non_standard_http_port in /usr/share/squirrelmail/plugins/change_sqlpass/functions.php on line 936, referer:

[Wed Nov 24 13:23:24 2010] [error] [client ] File does not exist: /usr/share/squirrelmail/config/_, referer:

[Wed Nov 24 13:23:27 2010] [error] [client ] File does not exist: /usr/share/squirrelmail/config/_, referer:
Any ideas anyone?

I thank you in advance for any replies,
Jez
Reply With Quote
  #5  
Old 29th April 2011, 14:21
ltns ltns is offline
Junior Member
 
Join Date: Apr 2011
Posts: 1
Thanks: 0
Thanked 1 Time in 1 Post
 
Default

I've encountered the same problem and patched the file functions.php as the following post mentioned. It works with my squirrelmail 1.4.21 and change_sqlpass 3.3.12 on Debian.

http://blog.rtfm.co.hu/2011/03/squir...-have-expired/

Also it could be solved by changing "General Options -> Disable secure forms " to true, but I think the patch one is better.

Last edited by ltns; 29th April 2011 at 14:31.
Reply With Quote
The Following User Says Thank You to ltns For This Useful Post:
falko (30th April 2011)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 09:44.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.