May 8th, 2012 by Idris

  1. Host
  2. <?php
  3.     $PREAUTH_KEY=”b1e40a2aa6bebcf3fb1c9c7ba4a97201b1e40a2aa6bebcf3fb1c9c7ba4a97201″;
  4.     $WEB_MAIL_PREAUTH_URL=”https://www.eepis-its.edu/preauth”;
  6.     $user = $_GET[”user”];
  7.     $domain=$_GET[”domain”];
  9.     $email = “{$user}@{$domain}”;
  10.     if(empty($PREAUTH_KEY)) {
  11.         die(”Need preauth key for domain “.$domain);
  12.     }
  14.     $timestamp=time()*1000;
  15.     $halo=number_format($timestamp,0,”,”);
  16.     $preauthToken=hash_hmac(”sha1″,$email.”|name|0|”.$halo,$PREAUTH_KEY);
  17.     $preauthURL = $WEB_MAIL_PREAUTH_URL.”?account=”.$email.”&by=name&timestamp=”.$halo.”&expires=0&preauth=”.$preauthToken;
  19.    header(”Location: $preauthURL”);
  20. ?>
  24. Target
  25.         if(isset($_GET[’username’]) && isset($_GET[’account’]) && isset($_GET[’timestamp’]) && isset($_GET[’preauth’])){
  26.                 $username=$_GET[’username’];
  27.                 $account=$_GET[’account’];
  28.                 $tsq=$_GET[’timestamp’];
  29.                 $preauth=$_GET[’preauth’];
  30.         $PREAUTH_KEY=”b1e40a2aa6bebcf3fb1c9c7ba4a97201b1e40a2aa6bebcf3fb1c9c7ba4a97201″;
  31.                 $timestamp=time()*1000;
  32.                 if(($timestamp-$tsq)<300){
  33.                         $preauthToken=hash_hmac(”sha1″,$account.”|name|0|”.$tsq,$PREAUTH_KEY);
  34.                         if( $preauth == $preauthToken)
  35.                                 $IsValidUser=TRUE;
  36.                 }
  37.         }

Leave a Reply