161daddd99ff2ae0b89a87ea541aabfc20682303
[cacert-devel.git] / www / index.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */
18
19 require_once('../includes/lib/l10n.php');
20 require_once('../includes/notary.inc.php');
21
22 $id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
23 $oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
24 $process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
25
26 if($id == 2)
27 $id = 0;
28
29 $_SESSION['_config']['errmsg'] = "";
30 $ccatest=0;
31
32 if($id == 17 || $id == 20)
33 {
34 include_once("../pages/index/$id.php");
35 exit;
36 }
37
38 loadem("index");
39
40 $_SESSION['_config']['hostname'] = $_SERVER['HTTP_HOST'];
41
42 if(($oldid == 6 || $id == 6) && intval($_SESSION['lostpw']['user']['id']) < 1)
43 {
44 $oldid = 0;
45 $id = 5;
46 }
47
48 if($oldid == 6 && $process != "")
49 {
50 $body = "";
51 $answers = 0;
52 $qs = array();
53 $id = $oldid;
54 $oldid = 0;
55 if(array_key_exists('Q1',$_REQUEST) && $_REQUEST['Q1'])
56 {
57 $_SESSION['lostpw']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
58
59 if(stripslashes(strtolower($_SESSION['lostpw']['A1'])) == strtolower($_SESSION['lostpw']['user']['A1']))
60 $answers++;
61 $body .= "System: ".$_SESSION['lostpw']['user']['A1']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A1']))."\n";
62 }
63 if(array_key_exists('Q2',$_REQUEST) && $_REQUEST['Q2'])
64 {
65 $_SESSION['lostpw']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
66
67 if(stripslashes(strtolower($_SESSION['lostpw']['A2'])) == strtolower($_SESSION['lostpw']['user']['A2']))
68 $answers++;
69 $body .= "System: ".$_SESSION['lostpw']['user']['A2']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A2']))."\n";
70 }
71 if(array_key_exists('Q3',$_REQUEST) && $_REQUEST['Q3'])
72 {
73 $_SESSION['lostpw']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
74
75 if(stripslashes(strtolower($_SESSION['lostpw']['A3'])) == strtolower($_SESSION['lostpw']['user']['A3']))
76 $answers++;
77 $body .= "System: ".$_SESSION['lostpw']['user']['A3']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A3']))."\n";
78 }
79 if(array_key_exists('Q4',$_REQUEST) && $_REQUEST['Q4'])
80 {
81 $_SESSION['lostpw']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
82
83 if(stripslashes(strtolower($_SESSION['lostpw']['A4'])) == strtolower($_SESSION['lostpw']['user']['A4']))
84 $answers++;
85 $body .= "System: ".$_SESSION['lostpw']['user']['A4']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A4']))."\n";
86 }
87 if(array_key_exists('Q5',$_REQUEST) && $_REQUEST['Q5'])
88 {
89 $_SESSION['lostpw']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
90
91 if(stripslashes(strtolower($_SESSION['lostpw']['A5'])) == strtolower($_SESSION['lostpw']['user']['A5']))
92 $answers++;
93 $body .= "System: ".$_SESSION['lostpw']['user']['A5']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A5']))."\n";
94 }
95
96 $_SESSION['lostpw']['pw1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass1']))));
97 $_SESSION['lostpw']['pw2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass2']))));
98
99 if($answers < $_SESSION['lostpw']['total'] || $answers < 3)
100 {
101 $body = "Someone has just attempted to update the pass phrase on the following account:\n".
102 "Username(ID): ".$_SESSION['lostpw']['user']['email']."(".$_SESSION['lostpw']['user']['id'].")\n".
103 "email: ".$_SESSION['lostpw']['user']['email']."\n".
104 "IP/Hostname: ".$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:"")."\n".
105 "---------------------------------------------------------------------\n".$body.
106 "---------------------------------------------------------------------\n";
107 sendmail("support@cacert.org", "[CAcert.org] Requested Pass Phrase Change", $body,
108 $_SESSION['lostpw']['user']['email'], "", "", $_SESSION['lostpw']['user']['fname']);
109 $_SESSION['_config']['errmsg'] = _("You failed to get all answers correct or you didn't configure enough lost password questions for your account. System admins have been notified.");
110 } else if($_SESSION['lostpw']['pw1'] != $_SESSION['lostpw']['pw2'] || $_SESSION['lostpw']['pw1'] == "") {
111 $_SESSION['_config']['errmsg'] = _("New Pass Phrases specified don't match or were blank.");
112 } else if(strlen($_SESSION['lostpw']['pw1']) < 6) {
113 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted was too short. It must be at least 6 characters.");
114 } else {
115 $score = checkpw($_SESSION['lostpw']['pw1'], $_SESSION['lostpw']['user']['email'], $_SESSION['lostpw']['user']['fname'],
116 $_SESSION['lostpw']['user']['mname'], $_SESSION['lostpw']['user']['lname'], $_SESSION['lostpw']['user']['suffix']);
117 if($score < 3)
118 {
119 $_SESSION['_config']['errmsg'] = sprintf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
120 } else {
121 $query = "update `users` set `password`=sha1('".$_SESSION['lostpw']['pw1']."')
122 where `id`='".intval($_SESSION['lostpw']['user']['id'])."'";
123 mysql_query($query) || die(mysql_error());
124 showheader(_("Welcome to CAcert.org"));
125 echo _("Your Pass Phrase has been changed now. You can now login with your new password.");
126 showfooter();
127 exit;
128 }
129 }
130 }
131
132 if($oldid == 5 && $process != "")
133 {
134 $email = $_SESSION['lostpw']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
135 $_SESSION['lostpw']['day'] = intval($_REQUEST['day']);
136 $_SESSION['lostpw']['month'] = intval($_REQUEST['month']);
137 $_SESSION['lostpw']['year'] = intval($_REQUEST['year']);
138 $dob = $_SESSION['lostpw']['year']."-".$_SESSION['lostpw']['month']."-".$_SESSION['lostpw']['day'];
139 $query = "select * from `users` where `email`='$email' and `dob`='$dob'";
140 $res = mysql_query($query);
141 if(mysql_num_rows($res) <= 0)
142 {
143 $id = $oldid;
144 $oldid = 0;
145 $_SESSION['_config']['errmsg'] = _("Unable to match your details with any user accounts on file");
146 } else {
147 $id = 6;
148 $_SESSION['lostpw']['user'] = mysql_fetch_assoc($res);
149 }
150 }
151
152 //client login
153 if($id == 4 && $_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'])
154 {
155 include_once("../includes/lib/general.php");
156 $user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'],
157 $_SERVER['SSL_CLIENT_I_DN_CN']);
158
159 if($user_id >= 0)
160 {
161 $_SESSION['profile'] = mysql_fetch_assoc(mysql_query(
162 "select * from `users` where
163 `id`='$user_id' and `deleted`=0 and `locked`=0"));
164 $ccatest=get_user_agreement_status($user_id,'CCA');
165
166 if($_SESSION['profile']['id'] != 0)
167 {
168 $cca=get_last_user_agreement($user_id);
169 echo '###0###'.$cca['active'];
170 if (!isset($cca['active'])){
171 $id=52;
172 $ccatest=TRUE;
173 }else{
174 $_SESSION['profile']['loggedin'] = 1;
175 header('location: https://'.$_SERVER['HTTP_HOST'].'/account.php');
176 echo '###1###'.$cca['active'];
177 exit;
178 }
179 } else {
180 $_SESSION['profile']['loggedin'] = 0;
181 }
182 }
183 }
184
185
186 if($id == 4 && array_key_exists('profile',$_SESSION) && array_key_exists('loggedin',array($_SESSION['profile'])) && $_SESSION['profile']['loggedin'] == 1)
187 {
188 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
189 echo '###2###'.$cca['active'];
190 exit;
191 }
192
193 function getOTP64($otp)
194 {
195 $lookupChar = "123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*!-?%:";
196
197 for($i = 0; $i < 6; $i++)
198 $val[$i] = hexdec(substr($otp, $i * 2, 2));
199
200 $tmp1 = $val[0] >> 2;
201 $OTP = $lookupChar[$tmp1 & 63];
202 $tmp2 = $val[0] - ($tmp1 << 2);
203 $tmp1 = $val[1] >> 4;
204 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
205 $tmp2 = $val[1] - ($tmp1 << 4);
206 $tmp1 = $val[2] >> 6;
207 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
208 $tmp2 = $val[2] - ($tmp1 << 6);
209 $OTP .= $lookupChar[$tmp2 & 63];
210 $tmp1 = $val[3] >> 2;
211 $OTP .= $lookupChar[$tmp1 & 63];
212 $tmp2 = $val[3] - ($tmp1 << 2);
213 $tmp1 = $val[4] >> 4;
214 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
215 $tmp2 = $val[4] - ($tmp1 << 4);
216 $tmp1 = $val[5] >> 6;
217 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
218 $tmp2 = $val[5] - ($tmp1 << 6);
219 $OTP .= $lookupChar[$tmp2 & 63];
220
221 return $OTP;
222 }
223
224 function getOTP32($otp)
225 {
226 $lookupChar = "0123456789abcdefghkmnoprstuvwxyz";
227
228 for($i = 0; $i < 7; $i++)
229 $val[$i] = hexdec(substr($otp, $i * 2, 2));
230
231 $tmp1 = $val[0] >> 3;
232 $OTP = $lookupChar[$tmp1 & 31];
233 $tmp2 = $val[0] - ($tmp1 << 3);
234 $tmp1 = $val[1] >> 6;
235 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
236 $tmp2 = ($val[1] - ($tmp1 << 6)) >> 1;
237 $OTP .= $lookupChar[$tmp2 & 31];
238 $tmp2 = $val[1] - (($val[1] >> 1) << 1);
239 $tmp1 = $val[2] >> 4;
240 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
241 $tmp2 = $val[2] - ($tmp1 << 4);
242 $tmp1 = $val[3] >> 7;
243 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
244 $tmp2 = ($val[3] - ($tmp1 << 7)) >> 2;
245 $OTP .= $lookupChar[$tmp2 & 31];
246 $tmp2 = $val[3] - (($val[3] - ($tmp1 << 7)) >> 2) << 2;
247 $tmp1 = $val[4] >> 5;
248 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
249 $tmp2 = $val[4] - ($tmp1 << 5);
250 $OTP .= $lookupChar[$tmp2 & 31];
251 $tmp1 = $val[5] >> 3;
252 $OTP .= $lookupChar[$tmp1 & 31];
253 $tmp2 = $val[5] - ($tmp1 << 3);
254 $tmp1 = $val[6] >> 6;
255 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
256
257 return $OTP;
258 }
259
260 if($oldid == 4)
261 {
262 $oldid = 0;
263 $id = 4;
264
265 $_SESSION['_config']['errmsg'] = "";
266
267 $email = mysql_escape_string(stripslashes(strip_tags(trim($_REQUEST['email']))));
268 $pword = mysql_escape_string(stripslashes(trim($_REQUEST['pword'])));
269 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
270 `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
271 $res = mysql_query($query);
272 if(mysql_num_rows($res) <= 0)
273 {
274 $otpquery = "select * from `users` where `email`='$email' and `otphash`!='' and `verified`=1 and `deleted`=0 and `locked`=0";
275 $otpres = mysql_query($otpquery);
276 if(mysql_num_rows($otpres) > 0)
277 {
278 $otp = mysql_fetch_assoc($otpres);
279 $otphash = $otp['otphash'];
280 $otppin = $otp['otppin'];
281 if(strlen($pword) == 6)
282 {
283 $matchperiod = 18;
284 $time = round(gmdate("U") / 10);
285 } else {
286 $matchperiod = 3;
287 $time = round(gmdate("U") / 60);
288 }
289
290 $query = "delete from `otphashes` where UNIX_TIMESTAMP(`when`) <= UNIX_TIMESTAMP(NOW()) - 600";
291 mysql_query($query);
292
293 $query = "select * from `otphashes` where `username`='$email' and `otp`='$pword'";
294 if(mysql_num_rows(mysql_query($query)) <= 0)
295 {
296 $query = "insert into `otphashes` set `when`=NOW(), `username`='$email', `otp`='$pword'";
297 mysql_query($query);
298 for($i = $time - $matchperiod; $i <= $time + $matchperiod * 2; $i++)
299 {
300 if($otppin > 0)
301 $tmpmd5 = md5("$i$otphash$otppin");
302 else
303 $tmpmd5 = md5("$i$otphash");
304
305 if(strlen($pword) == 6)
306 $md5 = substr(md5("$i$otphash"), 0, 6);
307 else if(strlen($pword) == 8)
308 $md5 = getOTP64(md5("$i$otphash"));
309 else
310 $md5 = getOTP32(md5("$i$otphash"));
311
312 if($pword == $md5)
313 $res = mysql_query($otpquery);
314 }
315 }
316 }
317 }
318 if(mysql_num_rows($res) > 0)
319 {
320 $_SESSION['profile'] = "";
321 unset($_SESSION['profile']);
322 $_SESSION['profile'] = mysql_fetch_assoc($res);
323 $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".$_SESSION['profile']['id']."'";
324 mysql_query($query);
325
326 if($_SESSION['profile']['language'] == "")
327 {
328 $query = "update `users` set `language`='".L10n::get_translation()."'
329 where `id`='".$_SESSION['profile']['id']."'";
330 mysql_query($query);
331 } else {
332 L10n::set_translation($_SESSION['profile']['language']);
333 L10n::init_gettext();
334 }
335 $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
336 $res = mysql_query($query);
337 $row = mysql_fetch_assoc($res);
338 $_SESSION['profile']['points'] = $row['total'];
339 $_SESSION['profile']['loggedin'] = 1;
340 if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" ||
341 $_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" ||
342 $_SESSION['profile']['Q5'] == "")
343 {
344 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
345 $_SESSION['_config']['oldlocation'] = "account.php?id=13";
346 }
347 if (checkpwlight($pword) < 3)
348 $_SESSION['_config']['oldlocation'] = "account.php?id=14&force=1";
349 $ccatest=get_user_agreement_status($_SESSION['profile']['id'],'CCA');
350 if($_SESSION['_config']['oldlocation'] != ""){
351 header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
352 }else{
353 if (0==$ccatest) {
354 $id=52;
355 header("location: https://".$_SERVER['HTTP_HOST']."/index.php?id=52");
356 }else{
357 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
358 }
359 }
360 exit;
361 }
362
363 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
364 `password`=password('$pword')) and `verified`=0 and `deleted`=0";
365 $res = mysql_query($query);
366 if(mysql_num_rows($res) <= 0)
367 {
368 $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
369 } else {
370 $_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");
371 }
372 }
373
374 // check for CCA acceptance prior to login
375 if ($id == 52 )
376 {
377 $ccatest=get_user_agreement_status($_SESSION['profile']['id'],'CCA');
378 $agree = ""; if(array_key_exists('agree',$_REQUEST)) $agree=$_REQUEST['agree'];
379 if (!$agree) {
380 $_SESSION['profile']['loggedin'] = 0;
381 }else{
382 write_user_agreement($memid, "CCA", "Login acception", "", 1);
383 $_SESSION['profile']['loggedin'] = 1;
384 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
385 exit;
386 }
387 }
388
389
390 if($process && $oldid == 1)
391 {
392 $id = 2;
393 $oldid = 0;
394
395 $_SESSION['_config']['errmsg'] = "";
396
397 $_SESSION['signup']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
398 $_SESSION['signup']['fname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['fname']))));
399 $_SESSION['signup']['mname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['mname']))));
400 $_SESSION['signup']['lname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['lname']))));
401 $_SESSION['signup']['suffix'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['suffix']))));
402 $_SESSION['signup']['day'] = intval($_REQUEST['day']);
403 $_SESSION['signup']['month'] = intval($_REQUEST['month']);
404 $_SESSION['signup']['year'] = intval($_REQUEST['year']);
405 $_SESSION['signup']['pword1'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword1'])));
406 $_SESSION['signup']['pword2'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword2'])));
407 $_SESSION['signup']['Q1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q1']))));
408 $_SESSION['signup']['Q2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q2']))));
409 $_SESSION['signup']['Q3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q3']))));
410 $_SESSION['signup']['Q4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q4']))));
411 $_SESSION['signup']['Q5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q5']))));
412 $_SESSION['signup']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
413 $_SESSION['signup']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
414 $_SESSION['signup']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
415 $_SESSION['signup']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
416 $_SESSION['signup']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
417 $_SESSION['signup']['general'] = intval(array_key_exists('general',$_REQUEST)?$_REQUEST['general']:0);
418 $_SESSION['signup']['country'] = intval(array_key_exists('country',$_REQUEST)?$_REQUEST['country']:0);
419 $_SESSION['signup']['regional'] = intval(array_key_exists('regional',$_REQUEST)?$_REQUEST['regional']:0);
420 $_SESSION['signup']['radius'] = intval(array_key_exists('radius',$_REQUEST)?$_REQUEST['radius']:0);
421 $_SESSION['signup']['cca_agree'] = intval(array_key_exists('cca_agree',$_REQUEST)?$_REQUEST['cca_agree']:0);
422
423
424 if($_SESSION['signup']['Q1'] == $_SESSION['signup']['Q2'] ||
425 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q3'] ||
426 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q4'] ||
427 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q5'] ||
428 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q3'] ||
429 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q4'] ||
430 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q5'] ||
431 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q4'] ||
432 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q5'] ||
433 $_SESSION['signup']['Q4'] == $_SESSION['signup']['Q5'] ||
434 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q1'] ||
435 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q2'] ||
436 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q3'] ||
437 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q4'] ||
438 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q5'] ||
439 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q3'] ||
440 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q4'] ||
441 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q5'] ||
442 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q4'] ||
443 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q5'] ||
444 $_SESSION['signup']['A4'] == $_SESSION['signup']['Q5'] ||
445 $_SESSION['signup']['A1'] == $_SESSION['signup']['A2'] ||
446 $_SESSION['signup']['A1'] == $_SESSION['signup']['A3'] ||
447 $_SESSION['signup']['A1'] == $_SESSION['signup']['A4'] ||
448 $_SESSION['signup']['A1'] == $_SESSION['signup']['A5'] ||
449 $_SESSION['signup']['A2'] == $_SESSION['signup']['A3'] ||
450 $_SESSION['signup']['A2'] == $_SESSION['signup']['A4'] ||
451 $_SESSION['signup']['A2'] == $_SESSION['signup']['A5'] ||
452 $_SESSION['signup']['A3'] == $_SESSION['signup']['A4'] ||
453 $_SESSION['signup']['A3'] == $_SESSION['signup']['A5'] ||
454 $_SESSION['signup']['A4'] == $_SESSION['signup']['A5'])
455 {
456 $id = 1;
457 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
458 }
459
460 if($_SESSION['signup']['Q1'] == "" || $_SESSION['signup']['Q2'] == "" ||
461 $_SESSION['signup']['Q3'] == "" || $_SESSION['signup']['Q4'] == "" ||
462 $_SESSION['signup']['Q5'] == "")
463 {
464 $id = 1;
465 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>\n";
466 }
467 if($_SESSION['signup']['fname'] == "" || $_SESSION['signup']['lname'] == "")
468 {
469 $id = 1;
470 $_SESSION['_config']['errmsg'] .= _("First and/or last names were blank.")."<br>\n";
471 }
472 if($_SESSION['signup']['year'] < 1900 || $_SESSION['signup']['month'] < 1 || $_SESSION['signup']['month'] > 12 ||
473 $_SESSION['signup']['day'] < 1 || $_SESSION['signup']['day'] > 31 ||
474 !checkdate($_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) ||
475 mktime(0,0,0,$_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) > time() )
476 {
477 $id = 1;
478 $_SESSION['_config']['errmsg'] .= _("Invalid date of birth")."<br>\n";
479 }
480 if($_SESSION['signup']['cca_agree'] == "0")
481 {
482 $id = 1;
483 $_SESSION['_config']['errmsg'] .= _("You have to agree to the CAcert Community agreement.")."<br>\n";
484 }
485 if($_SESSION['signup']['email'] == "")
486 {
487 $id = 1;
488 $_SESSION['_config']['errmsg'] .= _("Email Address was blank")."<br>\n";
489 }
490 if($_SESSION['signup']['pword1'] == "")
491 {
492 $id = 1;
493 $_SESSION['_config']['errmsg'] .= _("Pass Phrases were blank")."<br>\n";
494 }
495 if($_SESSION['signup']['pword1'] != $_SESSION['signup']['pword2'])
496 {
497 $id = 1;
498 $_SESSION['_config']['errmsg'] .= _("Pass Phrases don't match")."<br>\n";
499 }
500
501 $score = checkpw($_SESSION['signup']['pword1'], $_SESSION['signup']['email'], $_SESSION['signup']['fname'], $_SESSION['signup']['mname'], $_SESSION['signup']['lname'], $_SESSION['signup']['suffix']);
502 if($score < 3)
503 {
504 $id = 1;
505 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored $score points out of 6.");
506 }
507
508 if($id == 2)
509 {
510 $query = "select * from `email` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
511 $res1 = mysql_query($query);
512
513 $query = "select * from `users` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
514 $res2 = mysql_query($query);
515 if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0)
516 {
517 $id = 1;
518 $_SESSION['_config']['errmsg'] .= _("This email address is currently valid in the system.")."<br>\n";
519 }
520
521 $query = "select `domain` from `baddomains` where `domain`=RIGHT('".$_SESSION['signup']['email']."', LENGTH(`domain`))";
522 $res = mysql_query($query);
523 if(mysql_num_rows($res) > 0)
524 {
525 $domain = mysql_fetch_assoc($res);
526 $domain = $domain['domain'];
527 $id = 1;
528 $_SESSION['_config']['errmsg'] .= sprintf(_("We don't allow signups from people using email addresses from %s"), $domain)."<br>\n";
529 }
530 }
531
532 if($id == 2)
533 {
534 $checkemail = checkEmail($_SESSION['signup']['email']);
535 if($checkemail != "OK")
536 {
537 $id = 1;
538 if (substr($checkemail, 0, 1) == "4")
539 {
540 $_SESSION['_config']['errmsg'] .= _("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.");
541 } else {
542 $_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid");
543 }
544 $_SESSION['_config']['errmsg'] .= "<br>\n$checkemail<br>\n";
545 }
546 }
547
548 if($id == 2)
549 {
550 $hash = make_hash();
551
552 $query = "insert into `users` set `email`='".$_SESSION['signup']['email']."',
553 `password`=sha1('".$_SESSION['signup']['pword1']."'),
554 `fname`='".$_SESSION['signup']['fname']."',
555 `mname`='".$_SESSION['signup']['mname']."',
556 `lname`='".$_SESSION['signup']['lname']."',
557 `suffix`='".$_SESSION['signup']['suffix']."',
558 `dob`='".$_SESSION['signup']['year']."-".$_SESSION['signup']['month']."-".$_SESSION['signup']['day']."',
559 `Q1`='".$_SESSION['signup']['Q1']."',
560 `Q2`='".$_SESSION['signup']['Q2']."',
561 `Q3`='".$_SESSION['signup']['Q3']."',
562 `Q4`='".$_SESSION['signup']['Q4']."',
563 `Q5`='".$_SESSION['signup']['Q5']."',
564 `A1`='".$_SESSION['signup']['A1']."',
565 `A2`='".$_SESSION['signup']['A2']."',
566 `A3`='".$_SESSION['signup']['A3']."',
567 `A4`='".$_SESSION['signup']['A4']."',
568 `A5`='".$_SESSION['signup']['A5']."',
569 `created`=NOW(), `uniqueID`=SHA1(CONCAT(NOW(),'$hash'))";
570 mysql_query($query);
571 $memid = mysql_insert_id();
572 $query = "insert into `email` set `email`='".$_SESSION['signup']['email']."',
573 `hash`='$hash',
574 `created`=NOW(),
575 `memid`='$memid'";
576 mysql_query($query);
577 $emailid = mysql_insert_id();
578 $query = "insert into `alerts` set `memid`='$memid',
579 `general`='".$_SESSION['signup']['general']."',
580 `country`='".$_SESSION['signup']['country']."',
581 `regional`='".$_SESSION['signup']['regional']."',
582 `radius`='".$_SESSION['signup']['radius']."'";
583 mysql_query($query);
584 write_user_agreement($memid, "CCA", "account creation", "", 1);
585
586 $body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
587 $body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n";
588 $body .= _("Best regards")."\n"._("CAcert.org Support!");
589
590 sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
591 foreach($_SESSION['signup'] as $key => $val)
592 $_SESSION['signup'][$key] = "";
593 unset($_SESSION['signup']);
594 }
595 }
596
597 if($oldid == 11 && $process != "")
598 {
599 $who = stripslashes($_REQUEST['who']);
600 $email = stripslashes($_REQUEST['email']);
601 $subject = stripslashes($_REQUEST['subject']);
602 $message = stripslashes($_REQUEST['message']);
603 $secrethash = $_REQUEST['secrethash2'];
604
605 //check for spam via honeypot
606 if(!isset($_REQUEST['robotest']) || !empty($_REQUEST['robotest'])){
607 echo _("Form could not be sent.");
608 showfooter();
609 exit;
610 }
611
612 if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "")
613 {
614 $id = $oldid;
615 $process = "";
616 $_SESSION['_config']['errmsg'] = _("This seems like you have cookies or Javascript disabled, cannot continue.");
617 $oldid = 0;
618
619 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
620 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
621 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
622 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
623 echo _("This seems like you have cookies or Javascript disabled, cannot continue.");
624 die;
625 }
626 if(strstr($subject, "botmetka") || strstr($subject, "servermetka") || strstr($who,"\n") || strstr($email,"\n") || strstr($subject,"\n") )
627 {
628 $id = $oldid;
629 $process = "";
630 $_SESSION['_config']['errmsg'] = _("This seems like potential spam, cannot continue.");
631 $oldid = 0;
632
633 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
634 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
635 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
636 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
637 echo _("This seems like potential spam, cannot continue.");
638 die;
639 }
640
641
642 if(trim($who) == "" || trim($email) == "" || trim($subject) == "" || trim($message) == "")
643 {
644 $id = $oldid;
645 $process = "";
646 $_SESSION['_config']['errmsg'] = _("All fields are mandatory.")."<br>\n";
647 $oldid = 0;
648 }
649 }
650
651 if($oldid == 11 && $process != "")
652 {
653 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
654 if (isset($process[0])){
655 sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
656 showheader(_("Welcome to CAcert.org"));
657 echo _("Your message has been sent to the general support list.");
658 showfooter();
659 exit;
660 }
661 if (isset($process[1])){
662 sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
663 showheader(_("Welcome to CAcert.org"));
664 echo _("Your message has been sent.");
665 showfooter();
666 exit;
667 }
668 }
669
670 if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)
671 $_SESSION['signup']['year'] = "19XX";
672
673 if ($id == 12)
674 {
675 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
676 $newUrl = $protocol . '://wiki.cacert.org/FAQ/AboutUs';
677 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
678 }
679
680 if ($id == 19)
681 {
682 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
683 $newUrl = $protocol . '://wiki.cacert.org/FAQ/Privileges';
684 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
685 }
686
687 if ($id == 8)
688 {
689 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
690 $newUrl = $protocol . '://wiki.cacert.org/Board';
691 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
692 }
693
694
695 showheader(_("Welcome to CAcert.org"));
696 includeit($id);
697 showfooter();
698 ?>