#!/usr/bin/perl -w $ENV{'PATH'}='/var/www/cgi-bin/:/bin/:/usr/bin/'; $update="was created by "; use CGI; use Apache::Htpasswd; $query=new CGI; print $query -> header; $login_used=`id`; $date=`date`; chomp($login_used); chomp($date); &heredocs; sub heredocs{ $illegal=<Illegal login

Some information you submitted, (either your name, the login you want to create, or the password for this login), contains illegal characters, which for security are not accepted.  Please Go back to the RADB admin page  and try again, using only alphanumeric characters.

ILLEGAL $copy= <

RADB created by and © Pine Tree Internet Solutions. Unauthorized use is prohibited.

Go back to the RADB admin page. COPY $former=<

Add another user:



Your name:  
Login you want to create/edit:       Desired password for this login:       
If changing an existing user's password, please check the “Change password” box below and enter that user's old password in this box:  
This user already exists, I'm changing the password associated with this login.  



FORMERCHGPW $pwr=<Password rejected!

The password associated with user $untainted_formlogin could not be changed, as it could not be verified that you possess the authority to perform this action. Perhaps you forgot your password? PWR $footer = < Pine Tree Internet Solutions
RADB v1.0 © 2003, Pine Tree Internet Solutions.   No part of the RADB may be reproduced without explicit permission from an authorized Pine Tree Internet Solutions representative.

Powered by Apache, running on Red Hat Linux 7.3 (Valhalla) FOOTER $rej=<Login rejected

Login $untainted_formlogin is already in use, or is too similar to another existing login. Please try again.




Go back to the RADB admin page. $former;

$footer; REJECTED $copy= <

RADB created by and © Pine Tree Internet Solutions. Unauthorized use is prohibited.

Go back to the RADB admin page.

COPY } &script; sub script{ print < RADB v1.0 modification results SCRIPTER } $filepath=$ENV{'DOCUMENT_ROOT'}; $logpath="$filepath/.secure"; $htp=new Apache::Htpasswd("$logpath/.htpasswd"); $query=CGI->new(); @names=$query->param; $count=0; foreach $name(@names){ @values[$count]=$query->param($name); if ($name eq "name"){ $nameofuser=$values[$count]; } elsif ($name eq "login"){ $formlogin=$values[$count]; } elsif ($name eq "pw"){ $formpw=$values[$count]; if(($formlogin =~ /%3A/) || ($formlogin =~ /%2F/) || ($formlogin =~ /%3B/) || ($formpw =~ /%3A/) || ($formpw =~ /%3B/) || ($formpw =~/%2F/) || ($nameofuser =~ /%3A/) || ($nameofuser =~ /%3B/) || ($nameofuser =~ /%2F/)){ print $illegal; die("Data contained malicious characters"); } } elsif ($name eq "logins"){ $delvalue="yes"; $deluservalue=$values[$count]; } elsif ($name eq "viewlog"){ $viewlogvalue=$values[$count]; } elsif ($name eq "viewdb"){ $viewdbvalue=$values[$count]; } elsif ($name eq "chpw"){ $chpw=$values[$count]; } elsif ($name eq "oldpw"){ $oldpw=$values[$count]; } else { $array[$count]=$value; $count++; } $count++; } $nameofuser=~/([\w]+)/; $untainted_name=$1; $formlogin=~/([\w]+)/; $untainted_formlogin=$1; $formpw=~/([\w]+)/; $untainted_formpw=$1; $oldpw=~/([\w]+)/; $untainted_oldpw=$1; sub checker{ open(DB, ">>$logpath/.htpasswd")||die("Could not open DB file for view."); @checker=; foreach $checker(@checker){ ($username, $pws)=split(/:/, $checker); if(($username eq $untainted_formlogin) || ("\L\b$username\E" eq "\L\b$untainted_formlogin\E") || ("\U\b$username\E" eq "\U\b$untainted_formlogin\E")){ print "$rej $former

$footer"; close(DB); die("User already exists"); } } } if ($viewdbvalue eq "on"){ &db_viewer; } elsif ($viewlogvalue eq "on"){ &log_viewer; } else { &log; } sub log{ if (-e ($logpath)){ &eraser; } else { mkdir("$logpath", 0755); &eraser; } } sub eraser{ if ($delvalue eq "yes"){ $htp->htDelete($deluservalue); print "Login $deluservalue been permanently removed from the personnel database by $untainted_name."; print "
"; print "To undo this action, you must "; print "go back to the RADB admin page and re-enter the employee mentioned above."; print "
"; open(LOG, ">>$logpath/.log") || die("Could not open log file to add \"delete\" entry."); $logupdate="User deleted"; chomp($deluservalue); chomp($nameofuser); chomp($logupdate); print LOG "$deluservalue&$untainted_name,$login_used-$date¬$logupdate\n"; close(LOG); print $copy; print $footer; } else { &mainprog; } } sub mainprog{ if (-e ("$logpath/.log")){ open(LOG, ">>$logpath/.log") || die("Could not open log file to add entry."); } else { open(LOG, ">$logpath/.log")|| die("Could not create log file at $logpath/.log"); } &usercreate; sub usercreate{ unless(($viewlogvalue eq "on") || ($viewdbvalue eq "on")){ if($chpw eq "off"){ &checker; } else { $update="'s password was changed by "; } if($update eq "'s password was changed by "){ $logupdate="Password changed"; } else { $logupdate="Login created"; } unless ($chpw eq "on"){ print "Login $untainted_formlogin $update $untainted_name,\nunder the username $login_used,\non $date.\n"; print LOG "$untainted_formlogin&$untainted_name,$login_used-$date¬$logupdate\n"; $htp->htpasswd("$untainted_formlogin", "$untainted_formpw"); print $former; } if ($chpw eq "on"){ &passwordchanger; } else { &contin; } sub passwordchanger{ $htp->htpasswd("$untainted_formlogin", "$untainted_formpw", "$untainted_oldpw"); if($htp->error() eq "Apache::Htpasswd::htpasswd - Password not changed."){ print "$pwr\n$copy\n$footer"; } else { $htp->htpasswd("$untainted_formlogin", "$untainted_formpw", "$untainted_oldpw"); print "Password for user $untainted_formlogin was successfully changed. Please update your records."; print $former; print $footer; print LOG "$untainted_formlogin&$untainted_name,$login_used-$date¬$logupdate\n"; } close(LOG); } } } sub db_viewer{ unless ($viewdbvalue eq "off"){ open (DB, "$logpath/.htpasswd") || die ("Could not open DB file to view."); @dbarray=; $counter=0; print "

"; print ""; print "Your name:  "; foreach $line(@dbarray){ ($usern, $crypw)=split(/:/, $line); while ($counter==0){ print ""; close(DB); print ""; print "
"; print "
"; if ($viewlogvalue eq "on"){ &log_viewer; } else { &contin; } } sub log_viewer{ $logupdater=$logupdate; unless ($viewlogvalue eq "off"){ print "

Users in database

"; print "
"; print ""; open (DB, "$logpath/.log") || die("Could not open $logpath/.log for tabling"); @dbarray=; print ""; foreach $entry(@dbarray){ ($usen, $creatr)=split(/&/, $entry); ($creatir, $loggedinas)=split(/,/, $creatr); ($loggedas, $day)=split(/-/, $loggedinas); ($daychanged, $action)=split(/¬/, $day); ($creatr)=$creatir; ($loggedinas)=$loggedas; print ""; } print "
LoginAdded or modified?by userCreator logged in asDate
$usen$action$creatr$loggedinas$daychanged




"; close(DB); &contin; } } sub contin{ print $footer; } }