2247b68c65602ff18bfc5125b14848dea8fe6916
[cacert-devel.git] / www / index.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */
18
19 require_once('../includes/lib/l10n.php');
20 require_once('../includes/notary.inc.php');
21
22 $id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
23 $oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
24 $process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
25
26 if($id == 2)
27 $id = 0;
28
29 $_SESSION['_config']['errmsg'] = "";
30
31 if($id == 17 || $id == 20)
32 {
33 include_once("../pages/index/$id.php");
34 exit;
35 }
36
37 loadem("index");
38
39 $_SESSION['_config']['hostname'] = $_SERVER['HTTP_HOST'];
40
41 if(($oldid == 6 || $id == 6) && intval($_SESSION['lostpw']['user']['id']) < 1)
42 {
43 $oldid = 0;
44 $id = 5;
45 }
46
47 if($oldid == 6 && $process != "")
48 {
49 $body = "";
50 $answers = 0;
51 $qs = array();
52 $id = $oldid;
53 $oldid = 0;
54 if(array_key_exists('Q1',$_REQUEST) && $_REQUEST['Q1'])
55 {
56 $_SESSION['lostpw']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
57
58 if(stripslashes(strtolower($_SESSION['lostpw']['A1'])) == strtolower($_SESSION['lostpw']['user']['A1']))
59 $answers++;
60 $body .= "System: ".$_SESSION['lostpw']['user']['A1']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A1']))."\n";
61 }
62 if(array_key_exists('Q2',$_REQUEST) && $_REQUEST['Q2'])
63 {
64 $_SESSION['lostpw']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
65
66 if(stripslashes(strtolower($_SESSION['lostpw']['A2'])) == strtolower($_SESSION['lostpw']['user']['A2']))
67 $answers++;
68 $body .= "System: ".$_SESSION['lostpw']['user']['A2']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A2']))."\n";
69 }
70 if(array_key_exists('Q3',$_REQUEST) && $_REQUEST['Q3'])
71 {
72 $_SESSION['lostpw']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
73
74 if(stripslashes(strtolower($_SESSION['lostpw']['A3'])) == strtolower($_SESSION['lostpw']['user']['A3']))
75 $answers++;
76 $body .= "System: ".$_SESSION['lostpw']['user']['A3']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A3']))."\n";
77 }
78 if(array_key_exists('Q4',$_REQUEST) && $_REQUEST['Q4'])
79 {
80 $_SESSION['lostpw']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
81
82 if(stripslashes(strtolower($_SESSION['lostpw']['A4'])) == strtolower($_SESSION['lostpw']['user']['A4']))
83 $answers++;
84 $body .= "System: ".$_SESSION['lostpw']['user']['A4']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A4']))."\n";
85 }
86 if(array_key_exists('Q5',$_REQUEST) && $_REQUEST['Q5'])
87 {
88 $_SESSION['lostpw']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
89
90 if(stripslashes(strtolower($_SESSION['lostpw']['A5'])) == strtolower($_SESSION['lostpw']['user']['A5']))
91 $answers++;
92 $body .= "System: ".$_SESSION['lostpw']['user']['A5']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A5']))."\n";
93 }
94
95 $_SESSION['lostpw']['pw1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass1']))));
96 $_SESSION['lostpw']['pw2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass2']))));
97
98 if($answers < $_SESSION['lostpw']['total'] || $answers < 3)
99 {
100 $body = "Someone has just attempted to update the pass phrase on the following account:\n".
101 "Username(ID): ".$_SESSION['lostpw']['user']['email']."(".$_SESSION['lostpw']['user']['id'].")\n".
102 "email: ".$_SESSION['lostpw']['user']['email']."\n".
103 "IP/Hostname: ".$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:"")."\n".
104 "---------------------------------------------------------------------\n".$body.
105 "---------------------------------------------------------------------\n";
106 sendmail("support@cacert.org", "[CAcert.org] Requested Pass Phrase Change", $body,
107 $_SESSION['lostpw']['user']['email'], "", "", $_SESSION['lostpw']['user']['fname']);
108 $_SESSION['_config']['errmsg'] = _("You failed to get all answers correct or you didn't configure enough lost password questions for your account. System admins have been notified.");
109 } else if($_SESSION['lostpw']['pw1'] != $_SESSION['lostpw']['pw2'] || $_SESSION['lostpw']['pw1'] == "") {
110 $_SESSION['_config']['errmsg'] = _("New Pass Phrases specified don't match or were blank.");
111 } else if(strlen($_SESSION['lostpw']['pw1']) < 6) {
112 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted was too short. It must be at least 6 characters.");
113 } else {
114 $score = checkpw($_SESSION['lostpw']['pw1'], $_SESSION['lostpw']['user']['email'], $_SESSION['lostpw']['user']['fname'],
115 $_SESSION['lostpw']['user']['mname'], $_SESSION['lostpw']['user']['lname'], $_SESSION['lostpw']['user']['suffix']);
116 if($score < 3)
117 {
118 $_SESSION['_config']['errmsg'] = sprintf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
119 } else {
120 $query = "update `users` set `password`=sha1('".$_SESSION['lostpw']['pw1']."')
121 where `id`='".intval($_SESSION['lostpw']['user']['id'])."'";
122 mysql_query($query) || die(mysql_error());
123 showheader(_("Welcome to CAcert.org"));
124 echo _("Your Pass Phrase has been changed now. You can now login with your new password.");
125 showfooter();
126 exit;
127 }
128 }
129 }
130
131 if($oldid == 5 && $process != "")
132 {
133 $email = $_SESSION['lostpw']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
134 $_SESSION['lostpw']['day'] = intval($_REQUEST['day']);
135 $_SESSION['lostpw']['month'] = intval($_REQUEST['month']);
136 $_SESSION['lostpw']['year'] = intval($_REQUEST['year']);
137 $dob = $_SESSION['lostpw']['year']."-".$_SESSION['lostpw']['month']."-".$_SESSION['lostpw']['day'];
138 $query = "select * from `users` where `email`='$email' and `dob`='$dob'";
139 $res = mysql_query($query);
140 if(mysql_num_rows($res) <= 0)
141 {
142 $id = $oldid;
143 $oldid = 0;
144 $_SESSION['_config']['errmsg'] = _("Unable to match your details with any user accounts on file");
145 } else {
146 $id = 6;
147 $_SESSION['lostpw']['user'] = mysql_fetch_assoc($res);
148 }
149 }
150
151 //client login
152 if($id == 4 && $_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'])
153 {
154 include_once("../includes/lib/general.php");
155 $user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'],
156 $_SERVER['SSL_CLIENT_I_DN_CN']);
157
158 if($user_id >= 0)
159 {
160 $_SESSION['profile'] = mysql_fetch_assoc(mysql_query(
161 "select * from `users` where
162 `id`='$user_id' and `deleted`=0 and `locked`=0"));
163
164 if($_SESSION['profile']['id'] != 0)
165 {
166 $_SESSION['profile']['loggedin'] = 1;
167 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
168 exit;
169 } else {
170 $_SESSION['profile']['loggedin'] = 0;
171 }
172 }
173 }
174
175
176 if($id == 4 && array_key_exists('profile',$_SESSION) && array_key_exists('loggedin',array($_SESSION['profile'])) && $_SESSION['profile']['loggedin'] == 1)
177 {
178 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
179 exit;
180 }
181
182 if($oldid == 4)
183 {
184 $oldid = 0;
185 $id = 4;
186
187 $_SESSION['_config']['errmsg'] = "";
188
189 $email = mysql_escape_string(stripslashes(strip_tags(trim($_REQUEST['email']))));
190 $pword = mysql_escape_string(stripslashes(trim($_REQUEST['pword'])));
191 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
192 `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
193 $res = mysql_query($query);
194 $query = "SELECT 1 FROM `users` WHERE `email`='$email' and (UNIX_TIMESTAMP(`lastLoginAttempt`) < UNIX_TIMESTAMP(CURRENT_TIMESTAMP) - 5 or `lastLoginAttempt` is NULL)" ;
195 $rateLimit = mysql_num_rows(mysql_query($query)) > 0;
196 if(mysql_num_rows($res) > 0 && $rateLimit)
197 {
198 $_SESSION['profile'] = "";
199 unset($_SESSION['profile']);
200 $_SESSION['profile'] = mysql_fetch_assoc($res);
201 $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".intval($_SESSION['profile']['id'])."'";
202 mysql_query($query);
203
204 if($_SESSION['profile']['language'] == "")
205 {
206 $query = "update `users` set `language`='".L10n::get_translation()."'
207 where `id`='".intval($_SESSION['profile']['id'])."'";
208 mysql_query($query);
209 } else {
210 L10n::set_translation($_SESSION['profile']['language']);
211 L10n::init_gettext();
212 }
213 $query = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['profile']['id'])."' and `deleted`=0 group by `to`";
214 $res = mysql_query($query);
215 $row = mysql_fetch_assoc($res);
216 $_SESSION['profile']['points'] = $row['total'];
217 $_SESSION['profile']['loggedin'] = 1;
218 if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" ||
219 $_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" ||
220 $_SESSION['profile']['Q5'] == "")
221 {
222 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
223 $_SESSION['_config']['oldlocation'] = "account.php?id=13";
224 }
225 if (!isset($_SESSION['_config']['oldlocation'])){
226 $_SESSION['_config']['oldlocation']='';
227 }
228 if (checkpwlight($pword) < 3)
229 $_SESSION['_config']['oldlocation'] = "account.php?id=14&force=1";
230 if($_SESSION['_config']['oldlocation'] != ""){
231 header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
232 }else{
233 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
234 }
235 exit;
236 } else if($rateLimit){
237 $query = "update `users` set `lastLoginAttempt`=CURRENT_TIMESTAMP WHERE `email`='$email'";
238 mysql_query($query);
239 }
240
241 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
242 `password`=password('$pword')) and `verified`=0 and `deleted`=0";
243 $res = mysql_query($query);
244 if(!$rateLimit) {
245 $_SESSION['_config']['errmsg'] = _("You hit the login rate limit of 1 login per 5 seconds.");
246 } else if(mysql_num_rows($res) <= 0) {
247 $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
248 } else {
249 $_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");
250 }
251 }
252
253 // check for CCA acceptance prior to login
254 if ($oldid == 52 )
255 {
256 // Check if the user is already authenticated
257 if (!array_key_exists('profile',$_SESSION)
258 || !array_key_exists('loggedin',$_SESSION['profile'])
259 || $_SESSION['profile']['loggedin'] != 1)
260 {
261 header("Location: https://{$_SERVER['HTTP_HOST']}/index.php?id=4");
262 exit;
263 }
264
265 if (array_key_exists('agree',$_REQUEST) && $_REQUEST['agree'] != "")
266 {
267 write_user_agreement($_SESSION['profile']['id'], "CCA", "Login acception", "", 1);
268 $_SESSION['profile']['ccaagreement']=get_user_agreement_status($_SESSION['profile']['id'],'CCA');
269
270 if (array_key_exists("oldlocation",$_SESSION['_config'])
271 && $_SESSION['_config']['oldlocation']!="")
272 {
273 header("Location: https://{$_SERVER['HTTP_HOST']}/{$_SESSION['_config']['oldlocation']}");
274 exit;
275 } else {
276 header("Location: https://{$_SERVER['HTTP_HOST']}/account.php");
277 exit;
278 }
279 }
280
281 // User didn't agree
282 header("Location: https://{$_SERVER['HTTP_HOST']}/index.php?id=4");
283 exit;
284 }
285
286
287 if($process && $oldid == 1)
288 {
289 $id = 2;
290 $oldid = 0;
291
292 $_SESSION['_config']['errmsg'] = "";
293
294 $_SESSION['signup']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
295 $_SESSION['signup']['fname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['fname']))));
296 $_SESSION['signup']['mname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['mname']))));
297 $_SESSION['signup']['lname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['lname']))));
298 $_SESSION['signup']['suffix'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['suffix']))));
299 $_SESSION['signup']['day'] = intval($_REQUEST['day']);
300 $_SESSION['signup']['month'] = intval($_REQUEST['month']);
301 $_SESSION['signup']['year'] = intval($_REQUEST['year']);
302 $_SESSION['signup']['pword1'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword1'])));
303 $_SESSION['signup']['pword2'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword2'])));
304 $_SESSION['signup']['Q1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q1']))));
305 $_SESSION['signup']['Q2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q2']))));
306 $_SESSION['signup']['Q3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q3']))));
307 $_SESSION['signup']['Q4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q4']))));
308 $_SESSION['signup']['Q5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q5']))));
309 $_SESSION['signup']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
310 $_SESSION['signup']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
311 $_SESSION['signup']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
312 $_SESSION['signup']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
313 $_SESSION['signup']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
314 $_SESSION['signup']['general'] = intval(array_key_exists('general',$_REQUEST)?$_REQUEST['general']:0);
315 $_SESSION['signup']['country'] = intval(array_key_exists('country',$_REQUEST)?$_REQUEST['country']:0);
316 $_SESSION['signup']['regional'] = intval(array_key_exists('regional',$_REQUEST)?$_REQUEST['regional']:0);
317 $_SESSION['signup']['radius'] = intval(array_key_exists('radius',$_REQUEST)?$_REQUEST['radius']:0);
318 $_SESSION['signup']['cca_agree'] = intval(array_key_exists('cca_agree',$_REQUEST)?$_REQUEST['cca_agree']:0);
319
320
321 if($_SESSION['signup']['Q1'] == $_SESSION['signup']['Q2'] ||
322 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q3'] ||
323 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q4'] ||
324 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q5'] ||
325 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q3'] ||
326 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q4'] ||
327 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q5'] ||
328 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q4'] ||
329 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q5'] ||
330 $_SESSION['signup']['Q4'] == $_SESSION['signup']['Q5'] ||
331 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q1'] ||
332 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q2'] ||
333 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q3'] ||
334 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q4'] ||
335 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q5'] ||
336 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q3'] ||
337 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q4'] ||
338 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q5'] ||
339 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q4'] ||
340 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q5'] ||
341 $_SESSION['signup']['A4'] == $_SESSION['signup']['Q5'] ||
342 $_SESSION['signup']['A1'] == $_SESSION['signup']['A2'] ||
343 $_SESSION['signup']['A1'] == $_SESSION['signup']['A3'] ||
344 $_SESSION['signup']['A1'] == $_SESSION['signup']['A4'] ||
345 $_SESSION['signup']['A1'] == $_SESSION['signup']['A5'] ||
346 $_SESSION['signup']['A2'] == $_SESSION['signup']['A3'] ||
347 $_SESSION['signup']['A2'] == $_SESSION['signup']['A4'] ||
348 $_SESSION['signup']['A2'] == $_SESSION['signup']['A5'] ||
349 $_SESSION['signup']['A3'] == $_SESSION['signup']['A4'] ||
350 $_SESSION['signup']['A3'] == $_SESSION['signup']['A5'] ||
351 $_SESSION['signup']['A4'] == $_SESSION['signup']['A5'])
352 {
353 $id = 1;
354 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
355 }
356
357 if($_SESSION['signup']['Q1'] == "" || $_SESSION['signup']['Q2'] == "" ||
358 $_SESSION['signup']['Q3'] == "" || $_SESSION['signup']['Q4'] == "" ||
359 $_SESSION['signup']['Q5'] == "")
360 {
361 $id = 1;
362 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>\n";
363 }
364 if($_SESSION['signup']['fname'] == "" || $_SESSION['signup']['lname'] == "")
365 {
366 $id = 1;
367 $_SESSION['_config']['errmsg'] .= _("First and/or last names were blank.")."<br>\n";
368 }
369 if($_SESSION['signup']['year'] < 1900 || $_SESSION['signup']['month'] < 1 || $_SESSION['signup']['month'] > 12 ||
370 $_SESSION['signup']['day'] < 1 || $_SESSION['signup']['day'] > 31 ||
371 !checkdate($_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) ||
372 mktime(0,0,0,$_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) > time() )
373 {
374 $id = 1;
375 $_SESSION['_config']['errmsg'] .= _("Invalid date of birth")."<br>\n";
376 }
377 if($_SESSION['signup']['cca_agree'] == "0")
378 {
379 $id = 1;
380 $_SESSION['_config']['errmsg'] .= _("You have to agree to the CAcert Community agreement.")."<br>\n";
381 }
382 if($_SESSION['signup']['email'] == "")
383 {
384 $id = 1;
385 $_SESSION['_config']['errmsg'] .= _("Email Address was blank")."<br>\n";
386 }
387 if($_SESSION['signup']['pword1'] == "")
388 {
389 $id = 1;
390 $_SESSION['_config']['errmsg'] .= _("Pass Phrases were blank")."<br>\n";
391 }
392 if($_SESSION['signup']['pword1'] != $_SESSION['signup']['pword2'])
393 {
394 $id = 1;
395 $_SESSION['_config']['errmsg'] .= _("Pass Phrases don't match")."<br>\n";
396 }
397
398 $score = checkpw($_SESSION['signup']['pword1'], $_SESSION['signup']['email'], $_SESSION['signup']['fname'], $_SESSION['signup']['mname'], $_SESSION['signup']['lname'], $_SESSION['signup']['suffix']);
399 if($score < 3)
400 {
401 $id = 1;
402 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored $score points out of 6.");
403 }
404
405 if($id == 2)
406 {
407 $query = "select * from `email` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
408 $res1 = mysql_query($query);
409
410 $query = "select * from `users` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
411 $res2 = mysql_query($query);
412 if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0)
413 {
414 $id = 1;
415 $_SESSION['_config']['errmsg'] .= _("This email address is currently valid in the system.")."<br>\n";
416 }
417
418 $query = "select `domain` from `baddomains` where `domain`=RIGHT('".$_SESSION['signup']['email']."', LENGTH(`domain`))";
419 $res = mysql_query($query);
420 if(mysql_num_rows($res) > 0)
421 {
422 $domain = mysql_fetch_assoc($res);
423 $domain = $domain['domain'];
424 $id = 1;
425 $_SESSION['_config']['errmsg'] .= sprintf(_("We don't allow signups from people using email addresses from %s"), $domain)."<br>\n";
426 }
427 }
428
429 if($id == 2)
430 {
431 $checkemail = checkEmail($_SESSION['signup']['email']);
432 if($checkemail != "OK")
433 {
434 $id = 1;
435 if (substr($checkemail, 0, 1) == "4")
436 {
437 $_SESSION['_config']['errmsg'] .= _("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.");
438 } else {
439 $_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid");
440 }
441 $_SESSION['_config']['errmsg'] .= "<br>\n$checkemail<br>\n";
442 }
443 }
444
445 if($id == 2)
446 {
447 $hash = make_hash();
448
449 $query = "insert into `users` set `email`='".$_SESSION['signup']['email']."',
450 `password`=sha1('".$_SESSION['signup']['pword1']."'),
451 `fname`='".$_SESSION['signup']['fname']."',
452 `mname`='".$_SESSION['signup']['mname']."',
453 `lname`='".$_SESSION['signup']['lname']."',
454 `suffix`='".$_SESSION['signup']['suffix']."',
455 `dob`='".$_SESSION['signup']['year']."-".$_SESSION['signup']['month']."-".$_SESSION['signup']['day']."',
456 `Q1`='".$_SESSION['signup']['Q1']."',
457 `Q2`='".$_SESSION['signup']['Q2']."',
458 `Q3`='".$_SESSION['signup']['Q3']."',
459 `Q4`='".$_SESSION['signup']['Q4']."',
460 `Q5`='".$_SESSION['signup']['Q5']."',
461 `A1`='".$_SESSION['signup']['A1']."',
462 `A2`='".$_SESSION['signup']['A2']."',
463 `A3`='".$_SESSION['signup']['A3']."',
464 `A4`='".$_SESSION['signup']['A4']."',
465 `A5`='".$_SESSION['signup']['A5']."',
466 `created`=NOW(), `uniqueID`=SHA1(CONCAT(NOW(),'$hash'))";
467 mysql_query($query);
468 $memid = mysql_insert_id();
469 $query = "insert into `email` set `email`='".$_SESSION['signup']['email']."',
470 `hash`='$hash',
471 `created`=NOW(),
472 `memid`='$memid'";
473 mysql_query($query);
474 $emailid = mysql_insert_id();
475 $query = "insert into `alerts` set `memid`='$memid',
476 `general`='".$_SESSION['signup']['general']."',
477 `country`='".$_SESSION['signup']['country']."',
478 `regional`='".$_SESSION['signup']['regional']."',
479 `radius`='".$_SESSION['signup']['radius']."'";
480 mysql_query($query);
481 write_user_agreement($memid, "CCA", "account creation", "", 1);
482
483 $body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
484 $body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n";
485 $body .= _("Best regards")."\n"._("CAcert.org Support!");
486
487 sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
488 foreach($_SESSION['signup'] as $key => $val)
489 $_SESSION['signup'][$key] = "";
490 unset($_SESSION['signup']);
491 }
492 }
493
494 if($oldid == 11 && $process != "")
495 {
496 $who = stripslashes($_REQUEST['who']);
497 $email = stripslashes($_REQUEST['email']);
498 $subject = stripslashes($_REQUEST['subject']);
499 $message = stripslashes($_REQUEST['message']);
500 $secrethash = $_REQUEST['secrethash2'];
501
502 //check for spam via honeypot
503 if(!isset($_REQUEST['robotest']) || !empty($_REQUEST['robotest'])){
504 echo _("Form could not be sent.");
505 showfooter();
506 exit;
507 }
508
509 if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "")
510 {
511 $id = $oldid;
512 $process = "";
513 $_SESSION['_config']['errmsg'] = _("This seems like you have cookies or Javascript disabled, cannot continue.");
514 $oldid = 0;
515
516 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
517 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
518 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
519 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
520 echo _("This seems like you have cookies or Javascript disabled, cannot continue.");
521 die;
522 }
523 if(strstr($subject, "botmetka") || strstr($subject, "servermetka") || strstr($who,"\n") || strstr($email,"\n") || strstr($subject,"\n") )
524 {
525 $id = $oldid;
526 $process = "";
527 $_SESSION['_config']['errmsg'] = _("This seems like potential spam, cannot continue.");
528 $oldid = 0;
529
530 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
531 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
532 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
533 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
534 echo _("This seems like potential spam, cannot continue.");
535 die;
536 }
537
538
539 if(trim($who) == "" || trim($email) == "" || trim($subject) == "" || trim($message) == "")
540 {
541 $id = $oldid;
542 $process = "";
543 $_SESSION['_config']['errmsg'] = _("All fields are mandatory.")."<br>\n";
544 $oldid = 0;
545 }
546 }
547
548 if($oldid == 11 && $process != "")
549 {
550 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
551 if (isset($process[0])){
552 sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
553 showheader(_("Welcome to CAcert.org"));
554 echo _("Your message has been sent to the general support list.");
555 showfooter();
556 exit;
557 }
558 if (isset($process[1])){
559 sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
560 showheader(_("Welcome to CAcert.org"));
561 echo _("Your message has been sent.");
562 showfooter();
563 exit;
564 }
565 }
566
567 if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)
568 $_SESSION['signup']['year'] = "19XX";
569
570 if ($id == 12)
571 {
572 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
573 $newUrl = $protocol . '://wiki.cacert.org/FAQ/AboutUs';
574 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
575 }
576
577 if ($id == 19)
578 {
579 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
580 $newUrl = $protocol . '://wiki.cacert.org/FAQ/Privileges';
581 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
582 }
583
584 if ($id == 8)
585 {
586 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
587 $newUrl = $protocol . '://wiki.cacert.org/Board';
588 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
589 }
590
591 showheader(_("Welcome to CAcert.org"));
592 includeit($id);
593 showfooter();
594 ?>