#!/usr/bin/perl use DBI; use Time::Local; require 'cookie.lib'; ####### #Login.pl #April 10th, 2003 #Questions/comment: heyworth@qualityofexecution.com ####### #globals #database information $database="tands"; $databaseaddress="67.88.42.203"; #host address $address="workhorse.qualityofexecution.com"; #define the cookie domain SetCookieDomain('.qualityofexecution.com'); #global colors $headercolor="dadaff"; $tickcolor="#EFEEa9"; $evencolor="dfdfdf"; $oddcolor="ffffff"; #connect to database $dsn = "DBI:mysql:$database:$databaseaddress"; $dbh = DBI->connect($dsn,'qoeremote','qoe'); if ( !defined $dbh ){ print "Content-type:text/html\n\n"; print ""; print "

Couldn't connect to DB!

"; exit; } #grab form contents if ($ENV{'REQUEST_METHOD'} eq 'POST'){ GetPostData(); }else{ GetFormData(); } #if already logged in, ignore and go to main page... #check for valid token and cookie if (($cid=validtoken())){ #go to login main page... print "Content-type:text/html\nLocation: http://$address/controlpanel.pl\n\n"; }else{ $username=$Cookies{'username'}; # $password=$Cookies{'password'}; if ($username ne ""){ $remember="checked"; } } #handle the input if ($ENV{'REQUEST_METHOD'} eq 'POST'){ ProcessLoginScreen(); }else{ if($FORM{'mailpassword'} ne ""){ MailPassword(); GenerateLoginScreen(2);#sending password }else{ GenerateLoginScreen();#general loginscreen } #release resources $dbh->disconnect(); } sub ProcessLoginScreen(){ #make sure we have some data if (($username=$FORM{'username'}) eq ""){ $username="BLANK"; } #do the check... $SQL_QUERY="SELECT password,class,userid,clientid FROM user WHERE username='$username'"; $cursor = $dbh->prepare( "$SQL_QUERY" ); $cursor->execute; #grab information while (@row = $cursor->fetchrow){ $password=$row[0]; $class=$row[1]; $userid=$row[2]; $cid=$row[3]; } $cursor->finish; #checkpassword... if ($password eq $FORM{'password'}){ print "Content-type:text/html\n"; $faketoken=int("$cid"."$userid".time%50000)+int(rand(10000));#generate real token here #token is good for the day... $expirationdate=time+43200; #1/2 day token ($thissec,$thismin,$thishour,$thismday,$thismon,$thisyear,$thiswday,$thisyday,$thisisdst) = localtime($expirationdate); $thisyear+=1900; @day=("Sun","Mon","Tue","Wed","Thu","Fri","Sat"); @mon=("Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec"); $cookiedate=sprintf("%s, %02d-%s-%d %02d:%02d:%02d GMT",$day[$thiswday],$thismday,$mon[$thismon],$thisyear,$thishour,$thismin,$thissec); #print "\n$cookiedate";exit; SetCookieExpDate($cookiedate); SetCookies('token',"$faketoken",'userid',"$userid"); if ($FORM{'remember'} == 1){#remember for the year &SetCookieExpDate('Wed, 31-Dec-$thisyear 00:00:00 GMT'); }else{ #otherwise, erase... &SetCookieExpDate('Wed, 09-Apr-2003 00:00:01 GMT'); } SetCookies('username',"$username");#,'password',"$password"); UpdateLogin($faketoken,$userid,$cid); GetCookies(); $redirect=$FORM{'redirect'}; if ($redirect ne ""){ $redirect =~ s/%3F/?/g; $redirect =~ s/%3D/=/g; $redirect =~ s/%26/&/g; print "Location: $redirect\n\n"; }else{ #should actually link to the client's control panel page print "Location: http://$address/controlpanel.pl\n\n"; } exit; #print "\n\n($clientid $userid $FORM{'remember'})
t:$Cookies{'token'}
u:$Cookies{'userid'}
p:$Cookies{'password'}
b:$Cookies{'username'}
"; }else{ #print "Content-type:text/html\n\n"; #print "$SQL_QUERY:
$username $FORM{'password'} $clientid $userid $class $password\n"; #exit; #password failure... GenerateLoginScreen(1); } } sub GenerateLoginScreen(){ #$_[0] indicates error condition #0 == no condition #1 == Username/Password problem #2 == mailing password $redirect=$FORM{'redirect'}; #handle the login screen message if ($_[0]==0){ #no condition $ENV{'QUERY_STRING'}=~/redirect=(.*)/; $redirect=$1; #$message="
t:$Cookies{'token'}
id:$Cookies{'userid'}
u:$Cookies{'username'}
p:$Cookies{'password'}
a:$accesstime"; }elsif($_[0]==1){ #login error $message="Login Error:
Problem with Username and/or Password"; }elsif($_[0]==2){ #mail password $message="Account Assistance:
We just mailed the password to your Administrator's email account.

If you have any further questions, please feel free to contact us."; } if ($redirect ne ""){ $extratext="&redirect=$redirect"; } #output the loginmethod if ($FORM{'secure'} ne "yes"){ $loginmethod="Standard | Secure"; }else{ $loginmethod="Standard | Secure"; } print << "EOM"; Content-type:text/html Quality of Execution, LLC.

$message

Why do I need to login?
In order to take advantage of Quality of Execution's Internet-based queries, real-time analysis, and configuration screens, users need to authenticate themselves to us through the login procedure.

What if I forget my username and/or password?
If you forget your username and/or password, please contact us and we will supply you with the information you need to get back online as quickly as possible.

What is the difference between the standard and secure login methods?
The standard login method transmits your password and username unencrypted over the Internet while secure mode encrypts it. The authentication method you choose should conform with your company's data security policy.

How secure is our communication?
Once you have been authenticated in secure mode, all subsequent communication with Quality of Execution is protected by 128bit SSL encryption.

A secure link is indicated by a padlock in the lower right hand corner of your browser window.

If you don't see the lock upon logging in or have any further security questions, please feel free to contact us.

EOM } ####################### ## ## ## ## ## ## ## ## ####################### sub GetPostData(){ if ($ENV{'REQUEST_METHOD'} eq 'POST') { read (STDIN,$buffer,$ENV{'CONTENT_LENGTH'}); # split the name value pairs on '&' @pairs = split (/&/, $buffer); # go thru each pair and determine the name & value for # each form variable foreach $pair (@pairs) { ($name, $value) = split (/=/, $pair); $value =~ tr/+/ /; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; # check for evil characters # if ($FORM(thing) !~ /^[a-zA-Z0-9_-+ \t\/@%]+$/) is # true, then there are illegal characters... if ($name =~ /email/){ $value =~ s/[^a-zA-Z0-9\!\$\%\+\-\.\/\:\=\@\[\]\^\_]+//g ; } $FORM{$name} = $value; } return (1); # now, all the form variables are in the @FORM # associative array. } else { return (0); # no post data... } } sub validtoken{ if (GetCookies()) { $SQL_QUERY="SELECT modifytime,clientid FROM token WHERE token=$Cookies{'token'}"; $cursor = $dbh->prepare( "$SQL_QUERY" ); $cursor->execute; #grab information while (@row = $cursor->fetchrow){ $accesstime=$row[0]; $client=$row[1]; } $cursor->finish; return $client; } return 0; } sub GetFormData(){ #break the input string down @pairs =split(/&/,$ENV{'QUERY_STRING'}); foreach $pair (@pairs){ ($name, $value) = split (/=/, $pair); $value =~ tr/+/ /; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; $FORM{$name}=$value; } } sub UpdateLogin(){ #update token $time=time; $addy="$ENV{'REMOTE_ADDR'}"; $SQL_QUERY="INSERT INTO token VALUES(NULL,$_[0],\"$addy\",$_[1],$time,$time,$_[2])"; $cursor = $dbh->do( "$SQL_QUERY" ); #update user stats $SQL_QUERY="UPDATE user SET lastlogin=$time WHERE userid= $_[1]"; $cursor = $dbh->do( "$SQL_QUERY" ); } sub MailPassword(){ #grab password $SQL_QUERY="SELECT password,clientid FROM user WHERE username='$FORM{'mailpassword'}'"; $cursor = $dbh->prepare( "$SQL_QUERY" ); $cursor->execute; #grab information while (@row = $cursor->fetchrow){ $p=$row[0]; $c=$row[1]; } $cursor->finish; #make sure that we are using a valid username if ($p eq ""){ close(MP); return; } #grab recipients $SQL_QUERY="SELECT toadmin,ccadmin FROM recipient WHERE clientid=$c"; $cursor = $dbh->prepare( "$SQL_QUERY" ); $cursor->execute; #grab information while (@row = $cursor->fetchrow){ $toadmin=$row[0]; $ccdamin=$row[1]; } $cursor->finish; #make sure that we are using a valid username if ($toadmin eq ""){ close(MP); return; } $u=$FORM{'mailpassword'}; $path="$u-password.mail"; open(MP,"> $path"); print MP << "EOM"; Sorry you were having difficulty with your username and password. Username: $FORM{'mailpassword'} Password: $p If you have any further questions, please feel free to contact us at: help\@qualityofexecution.com. EOM close(MP); #needs the q to supress output... system("blat $path -s \"Requested Information\" -t \"$toadmin\" -noh2 -q"); }