4d403a8b781e41f4c9665f581095abd37a43a12a
[cacert-devel.git] / www / index.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */
18
19 require_once('../includes/lib/l10n.php');
20 require_once('../includes/notary.inc.php');
21
22 $id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
23 $oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
24 $process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
25
26 if($id == 2)
27 $id = 0;
28
29 $_SESSION['_config']['errmsg'] = "";
30 $ccatest=0;
31
32 if($id == 17 || $id == 20)
33 {
34 include_once("../pages/index/$id.php");
35 exit;
36 }
37
38 loadem("index");
39
40 $_SESSION['_config']['hostname'] = $_SERVER['HTTP_HOST'];
41
42 if(($oldid == 6 || $id == 6) && intval($_SESSION['lostpw']['user']['id']) < 1)
43 {
44 $oldid = 0;
45 $id = 5;
46 }
47
48 if($oldid == 6 && $process != "")
49 {
50 $body = "";
51 $answers = 0;
52 $qs = array();
53 $id = $oldid;
54 $oldid = 0;
55 if(array_key_exists('Q1',$_REQUEST) && $_REQUEST['Q1'])
56 {
57 $_SESSION['lostpw']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
58
59 if(stripslashes(strtolower($_SESSION['lostpw']['A1'])) == strtolower($_SESSION['lostpw']['user']['A1']))
60 $answers++;
61 $body .= "System: ".$_SESSION['lostpw']['user']['A1']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A1']))."\n";
62 }
63 if(array_key_exists('Q2',$_REQUEST) && $_REQUEST['Q2'])
64 {
65 $_SESSION['lostpw']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
66
67 if(stripslashes(strtolower($_SESSION['lostpw']['A2'])) == strtolower($_SESSION['lostpw']['user']['A2']))
68 $answers++;
69 $body .= "System: ".$_SESSION['lostpw']['user']['A2']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A2']))."\n";
70 }
71 if(array_key_exists('Q3',$_REQUEST) && $_REQUEST['Q3'])
72 {
73 $_SESSION['lostpw']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
74
75 if(stripslashes(strtolower($_SESSION['lostpw']['A3'])) == strtolower($_SESSION['lostpw']['user']['A3']))
76 $answers++;
77 $body .= "System: ".$_SESSION['lostpw']['user']['A3']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A3']))."\n";
78 }
79 if(array_key_exists('Q4',$_REQUEST) && $_REQUEST['Q4'])
80 {
81 $_SESSION['lostpw']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
82
83 if(stripslashes(strtolower($_SESSION['lostpw']['A4'])) == strtolower($_SESSION['lostpw']['user']['A4']))
84 $answers++;
85 $body .= "System: ".$_SESSION['lostpw']['user']['A4']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A4']))."\n";
86 }
87 if(array_key_exists('Q5',$_REQUEST) && $_REQUEST['Q5'])
88 {
89 $_SESSION['lostpw']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
90
91 if(stripslashes(strtolower($_SESSION['lostpw']['A5'])) == strtolower($_SESSION['lostpw']['user']['A5']))
92 $answers++;
93 $body .= "System: ".$_SESSION['lostpw']['user']['A5']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A5']))."\n";
94 }
95
96 $_SESSION['lostpw']['pw1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass1']))));
97 $_SESSION['lostpw']['pw2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass2']))));
98
99 if($answers < $_SESSION['lostpw']['total'] || $answers < 3)
100 {
101 $body = "Someone has just attempted to update the pass phrase on the following account:\n".
102 "Username(ID): ".$_SESSION['lostpw']['user']['email']."(".$_SESSION['lostpw']['user']['id'].")\n".
103 "email: ".$_SESSION['lostpw']['user']['email']."\n".
104 "IP/Hostname: ".$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:"")."\n".
105 "---------------------------------------------------------------------\n".$body.
106 "---------------------------------------------------------------------\n";
107 sendmail("support@cacert.org", "[CAcert.org] Requested Pass Phrase Change", $body,
108 $_SESSION['lostpw']['user']['email'], "", "", $_SESSION['lostpw']['user']['fname']);
109 $_SESSION['_config']['errmsg'] = _("You failed to get all answers correct or you didn't configure enough lost password questions for your account. System admins have been notified.");
110 } else if($_SESSION['lostpw']['pw1'] != $_SESSION['lostpw']['pw2'] || $_SESSION['lostpw']['pw1'] == "") {
111 $_SESSION['_config']['errmsg'] = _("New Pass Phrases specified don't match or were blank.");
112 } else if(strlen($_SESSION['lostpw']['pw1']) < 6) {
113 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted was too short. It must be at least 6 characters.");
114 } else {
115 $score = checkpw($_SESSION['lostpw']['pw1'], $_SESSION['lostpw']['user']['email'], $_SESSION['lostpw']['user']['fname'],
116 $_SESSION['lostpw']['user']['mname'], $_SESSION['lostpw']['user']['lname'], $_SESSION['lostpw']['user']['suffix']);
117 if($score < 3)
118 {
119 $_SESSION['_config']['errmsg'] = sprintf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
120 } else {
121 $query = "update `users` set `password`=sha1('".$_SESSION['lostpw']['pw1']."')
122 where `id`='".intval($_SESSION['lostpw']['user']['id'])."'";
123 mysql_query($query) || die(mysql_error());
124 showheader(_("Welcome to CAcert.org"));
125 echo _("Your Pass Phrase has been changed now. You can now login with your new password.");
126 showfooter();
127 exit;
128 }
129 }
130 }
131
132 if($oldid == 5 && $process != "")
133 {
134 $email = $_SESSION['lostpw']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
135 $_SESSION['lostpw']['day'] = intval($_REQUEST['day']);
136 $_SESSION['lostpw']['month'] = intval($_REQUEST['month']);
137 $_SESSION['lostpw']['year'] = intval($_REQUEST['year']);
138 $dob = $_SESSION['lostpw']['year']."-".$_SESSION['lostpw']['month']."-".$_SESSION['lostpw']['day'];
139 $query = "select * from `users` where `email`='$email' and `dob`='$dob'";
140 $res = mysql_query($query);
141 if(mysql_num_rows($res) <= 0)
142 {
143 $id = $oldid;
144 $oldid = 0;
145 $_SESSION['_config']['errmsg'] = _("Unable to match your details with any user accounts on file");
146 } else {
147 $id = 6;
148 $_SESSION['lostpw']['user'] = mysql_fetch_assoc($res);
149 }
150 }
151
152 //client login
153 if($id == 4 && $_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'])
154 {
155 include_once("../includes/lib/general.php");
156 $user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'],
157 $_SERVER['SSL_CLIENT_I_DN_CN']);
158
159 if($user_id >= 0)
160 {
161 $_SESSION['profile'] = mysql_fetch_assoc(mysql_query(
162 "select * from `users` where
163 `id`='$user_id' and `deleted`=0 and `locked`=0"));
164 $ccatest=get_user_agreement_status($user_id,'CCA');
165
166 if($_SESSION['profile']['id'] != 0)
167 {
168 $cca=get_last_user_agreement($user_id);
169 echo '###0###'.$cca['active'];
170 if (!isset($cca['active'])){
171 $id=52;
172 $ccatest=TRUE;
173 }else{
174 $_SESSION['profile']['loggedin'] = 1;
175 header('location: https://'.$_SERVER['HTTP_HOST'].'/account.php');
176 echo '###1###'.$cca['active'];
177 exit;
178 }
179 } else {
180 $_SESSION['profile']['loggedin'] = 0;
181 }
182 }
183 }
184
185
186 if($id == 4 && array_key_exists('profile',$_SESSION) && array_key_exists('loggedin',array($_SESSION['profile'])) && $_SESSION['profile']['loggedin'] == 1)
187 {
188 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
189 echo '###2###'.$cca['active'];
190 exit;
191 }
192
193 function getOTP64($otp)
194 {
195 $lookupChar = "123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*!-?%:";
196
197 for($i = 0; $i < 6; $i++)
198 $val[$i] = hexdec(substr($otp, $i * 2, 2));
199
200 $tmp1 = $val[0] >> 2;
201 $OTP = $lookupChar[$tmp1 & 63];
202 $tmp2 = $val[0] - ($tmp1 << 2);
203 $tmp1 = $val[1] >> 4;
204 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
205 $tmp2 = $val[1] - ($tmp1 << 4);
206 $tmp1 = $val[2] >> 6;
207 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
208 $tmp2 = $val[2] - ($tmp1 << 6);
209 $OTP .= $lookupChar[$tmp2 & 63];
210 $tmp1 = $val[3] >> 2;
211 $OTP .= $lookupChar[$tmp1 & 63];
212 $tmp2 = $val[3] - ($tmp1 << 2);
213 $tmp1 = $val[4] >> 4;
214 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
215 $tmp2 = $val[4] - ($tmp1 << 4);
216 $tmp1 = $val[5] >> 6;
217 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
218 $tmp2 = $val[5] - ($tmp1 << 6);
219 $OTP .= $lookupChar[$tmp2 & 63];
220
221 return $OTP;
222 }
223
224 function getOTP32($otp)
225 {
226 $lookupChar = "0123456789abcdefghkmnoprstuvwxyz";
227
228 for($i = 0; $i < 7; $i++)
229 $val[$i] = hexdec(substr($otp, $i * 2, 2));
230
231 $tmp1 = $val[0] >> 3;
232 $OTP = $lookupChar[$tmp1 & 31];
233 $tmp2 = $val[0] - ($tmp1 << 3);
234 $tmp1 = $val[1] >> 6;
235 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
236 $tmp2 = ($val[1] - ($tmp1 << 6)) >> 1;
237 $OTP .= $lookupChar[$tmp2 & 31];
238 $tmp2 = $val[1] - (($val[1] >> 1) << 1);
239 $tmp1 = $val[2] >> 4;
240 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
241 $tmp2 = $val[2] - ($tmp1 << 4);
242 $tmp1 = $val[3] >> 7;
243 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
244 $tmp2 = ($val[3] - ($tmp1 << 7)) >> 2;
245 $OTP .= $lookupChar[$tmp2 & 31];
246 $tmp2 = $val[3] - (($val[3] - ($tmp1 << 7)) >> 2) << 2;
247 $tmp1 = $val[4] >> 5;
248 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
249 $tmp2 = $val[4] - ($tmp1 << 5);
250 $OTP .= $lookupChar[$tmp2 & 31];
251 $tmp1 = $val[5] >> 3;
252 $OTP .= $lookupChar[$tmp1 & 31];
253 $tmp2 = $val[5] - ($tmp1 << 3);
254 $tmp1 = $val[6] >> 6;
255 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
256
257 return $OTP;
258 }
259
260 if($oldid == 4)
261 {
262 $oldid = 0;
263 $id = 4;
264
265 $_SESSION['_config']['errmsg'] = "";
266
267 $email = mysql_escape_string(stripslashes(strip_tags(trim($_REQUEST['email']))));
268 $pword = mysql_escape_string(stripslashes(trim($_REQUEST['pword'])));
269 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
270 `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
271 $res = mysql_query($query);
272 if(mysql_num_rows($res) <= 0)
273 {
274 $otpquery = "select * from `users` where `email`='$email' and `otphash`!='' and `verified`=1 and `deleted`=0 and `locked`=0";
275 $otpres = mysql_query($otpquery);
276 if(mysql_num_rows($otpres) > 0)
277 {
278 $otp = mysql_fetch_assoc($otpres);
279 $otphash = $otp['otphash'];
280 $otppin = $otp['otppin'];
281 if(strlen($pword) == 6)
282 {
283 $matchperiod = 18;
284 $time = round(gmdate("U") / 10);
285 } else {
286 $matchperiod = 3;
287 $time = round(gmdate("U") / 60);
288 }
289
290 $query = "delete from `otphashes` where UNIX_TIMESTAMP(`when`) <= UNIX_TIMESTAMP(NOW()) - 600";
291 mysql_query($query);
292
293 $query = "select * from `otphashes` where `username`='$email' and `otp`='$pword'";
294 if(mysql_num_rows(mysql_query($query)) <= 0)
295 {
296 $query = "insert into `otphashes` set `when`=NOW(), `username`='$email', `otp`='$pword'";
297 mysql_query($query);
298 for($i = $time - $matchperiod; $i <= $time + $matchperiod * 2; $i++)
299 {
300 if($otppin > 0)
301 $tmpmd5 = md5("$i$otphash$otppin");
302 else
303 $tmpmd5 = md5("$i$otphash");
304
305 if(strlen($pword) == 6)
306 $md5 = substr(md5("$i$otphash"), 0, 6);
307 else if(strlen($pword) == 8)
308 $md5 = getOTP64(md5("$i$otphash"));
309 else
310 $md5 = getOTP32(md5("$i$otphash"));
311
312 if($pword == $md5)
313 $res = mysql_query($otpquery);
314 }
315 }
316 }
317 }
318 if(mysql_num_rows($res) > 0)
319 {
320 $_SESSION['profile'] = "";
321 unset($_SESSION['profile']);
322 $_SESSION['profile'] = mysql_fetch_assoc($res);
323 $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".$_SESSION['profile']['id']."'";
324 mysql_query($query);
325
326 if($_SESSION['profile']['language'] == "")
327 {
328 $query = "update `users` set `language`='".L10n::get_translation()."'
329 where `id`='".$_SESSION['profile']['id']."'";
330 mysql_query($query);
331 } else {
332 L10n::set_translation($_SESSION['profile']['language']);
333 L10n::init_gettext();
334 }
335 $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
336 $res = mysql_query($query);
337 $row = mysql_fetch_assoc($res);
338 $_SESSION['profile']['points'] = $row['total'];
339 $_SESSION['profile']['loggedin'] = 1;
340 if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" ||
341 $_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" ||
342 $_SESSION['profile']['Q5'] == "")
343 {
344 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
345 $_SESSION['_config']['oldlocation'] = "account.php?id=13";
346 }
347 if (checkpwlight($pword) < 3)
348 $_SESSION['_config']['oldlocation'] = "account.php?id=14&force=1";
349 $ccatest=get_user_agreement_status($_SESSION['profile']['id'],'CCA');
350 if($_SESSION['_config']['oldlocation'] != ""){
351 header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
352 }else{
353 if (0==$ccatest) {
354 $id=52;
355 header("location: https://".$_SERVER['HTTP_HOST']."/index.php?id=52");
356 }else{
357 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
358 }
359 }
360 exit;
361 }
362
363 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
364 `password`=password('$pword')) and `verified`=0 and `deleted`=0";
365 $res = mysql_query($query);
366 if(mysql_num_rows($res) <= 0)
367 {
368 $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
369 } else {
370 $_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");
371 }
372 }
373
374 // check for CCA acceptance prior to login
375 if ($id == 52 )
376 {
377 $ccatest=get_user_agreement_status($_SESSION['profile']['id'],'CCA');
378 $agree = ""; if(array_key_exists('agree',$_REQUEST)) $agree=$_REQUEST['agree'];
379 if (!$agree) {
380 $_SESSION['profile']['loggedin'] = 0;
381 }else{
382 write_user_agreement($_SESSION['profile']['id'], "CCA", "Login acception", "", 1);
383 $_SESSION['profile']['loggedin'] = 1;
384 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
385 exit;
386 }
387 $disagree = ""; if(array_key_exists('disagree',$_REQUEST)) $disagree=$_REQUEST['disagree'];
388 if ($disagree) {
389 $_SESSION['profile']['loggedin'] = 0;
390 header("location: https://".$_SERVER['HTTP_HOST']."/index.php?id=4");
391 exit;
392 }
393 }
394
395
396 if($process && $oldid == 1)
397 {
398 $id = 2;
399 $oldid = 0;
400
401 $_SESSION['_config']['errmsg'] = "";
402
403 $_SESSION['signup']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
404 $_SESSION['signup']['fname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['fname']))));
405 $_SESSION['signup']['mname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['mname']))));
406 $_SESSION['signup']['lname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['lname']))));
407 $_SESSION['signup']['suffix'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['suffix']))));
408 $_SESSION['signup']['day'] = intval($_REQUEST['day']);
409 $_SESSION['signup']['month'] = intval($_REQUEST['month']);
410 $_SESSION['signup']['year'] = intval($_REQUEST['year']);
411 $_SESSION['signup']['pword1'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword1'])));
412 $_SESSION['signup']['pword2'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword2'])));
413 $_SESSION['signup']['Q1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q1']))));
414 $_SESSION['signup']['Q2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q2']))));
415 $_SESSION['signup']['Q3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q3']))));
416 $_SESSION['signup']['Q4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q4']))));
417 $_SESSION['signup']['Q5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q5']))));
418 $_SESSION['signup']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
419 $_SESSION['signup']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
420 $_SESSION['signup']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
421 $_SESSION['signup']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
422 $_SESSION['signup']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
423 $_SESSION['signup']['general'] = intval(array_key_exists('general',$_REQUEST)?$_REQUEST['general']:0);
424 $_SESSION['signup']['country'] = intval(array_key_exists('country',$_REQUEST)?$_REQUEST['country']:0);
425 $_SESSION['signup']['regional'] = intval(array_key_exists('regional',$_REQUEST)?$_REQUEST['regional']:0);
426 $_SESSION['signup']['radius'] = intval(array_key_exists('radius',$_REQUEST)?$_REQUEST['radius']:0);
427 $_SESSION['signup']['cca_agree'] = intval(array_key_exists('cca_agree',$_REQUEST)?$_REQUEST['cca_agree']:0);
428
429
430 if($_SESSION['signup']['Q1'] == $_SESSION['signup']['Q2'] ||
431 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q3'] ||
432 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q4'] ||
433 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q5'] ||
434 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q3'] ||
435 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q4'] ||
436 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q5'] ||
437 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q4'] ||
438 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q5'] ||
439 $_SESSION['signup']['Q4'] == $_SESSION['signup']['Q5'] ||
440 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q1'] ||
441 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q2'] ||
442 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q3'] ||
443 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q4'] ||
444 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q5'] ||
445 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q3'] ||
446 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q4'] ||
447 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q5'] ||
448 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q4'] ||
449 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q5'] ||
450 $_SESSION['signup']['A4'] == $_SESSION['signup']['Q5'] ||
451 $_SESSION['signup']['A1'] == $_SESSION['signup']['A2'] ||
452 $_SESSION['signup']['A1'] == $_SESSION['signup']['A3'] ||
453 $_SESSION['signup']['A1'] == $_SESSION['signup']['A4'] ||
454 $_SESSION['signup']['A1'] == $_SESSION['signup']['A5'] ||
455 $_SESSION['signup']['A2'] == $_SESSION['signup']['A3'] ||
456 $_SESSION['signup']['A2'] == $_SESSION['signup']['A4'] ||
457 $_SESSION['signup']['A2'] == $_SESSION['signup']['A5'] ||
458 $_SESSION['signup']['A3'] == $_SESSION['signup']['A4'] ||
459 $_SESSION['signup']['A3'] == $_SESSION['signup']['A5'] ||
460 $_SESSION['signup']['A4'] == $_SESSION['signup']['A5'])
461 {
462 $id = 1;
463 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
464 }
465
466 if($_SESSION['signup']['Q1'] == "" || $_SESSION['signup']['Q2'] == "" ||
467 $_SESSION['signup']['Q3'] == "" || $_SESSION['signup']['Q4'] == "" ||
468 $_SESSION['signup']['Q5'] == "")
469 {
470 $id = 1;
471 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>\n";
472 }
473 if($_SESSION['signup']['fname'] == "" || $_SESSION['signup']['lname'] == "")
474 {
475 $id = 1;
476 $_SESSION['_config']['errmsg'] .= _("First and/or last names were blank.")."<br>\n";
477 }
478 if($_SESSION['signup']['year'] < 1900 || $_SESSION['signup']['month'] < 1 || $_SESSION['signup']['month'] > 12 ||
479 $_SESSION['signup']['day'] < 1 || $_SESSION['signup']['day'] > 31 ||
480 !checkdate($_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) ||
481 mktime(0,0,0,$_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) > time() )
482 {
483 $id = 1;
484 $_SESSION['_config']['errmsg'] .= _("Invalid date of birth")."<br>\n";
485 }
486 if($_SESSION['signup']['cca_agree'] == "0")
487 {
488 $id = 1;
489 $_SESSION['_config']['errmsg'] .= _("You have to agree to the CAcert Community agreement.")."<br>\n";
490 }
491 if($_SESSION['signup']['email'] == "")
492 {
493 $id = 1;
494 $_SESSION['_config']['errmsg'] .= _("Email Address was blank")."<br>\n";
495 }
496 if($_SESSION['signup']['pword1'] == "")
497 {
498 $id = 1;
499 $_SESSION['_config']['errmsg'] .= _("Pass Phrases were blank")."<br>\n";
500 }
501 if($_SESSION['signup']['pword1'] != $_SESSION['signup']['pword2'])
502 {
503 $id = 1;
504 $_SESSION['_config']['errmsg'] .= _("Pass Phrases don't match")."<br>\n";
505 }
506
507 $score = checkpw($_SESSION['signup']['pword1'], $_SESSION['signup']['email'], $_SESSION['signup']['fname'], $_SESSION['signup']['mname'], $_SESSION['signup']['lname'], $_SESSION['signup']['suffix']);
508 if($score < 3)
509 {
510 $id = 1;
511 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored $score points out of 6.");
512 }
513
514 if($id == 2)
515 {
516 $query = "select * from `email` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
517 $res1 = mysql_query($query);
518
519 $query = "select * from `users` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
520 $res2 = mysql_query($query);
521 if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0)
522 {
523 $id = 1;
524 $_SESSION['_config']['errmsg'] .= _("This email address is currently valid in the system.")."<br>\n";
525 }
526
527 $query = "select `domain` from `baddomains` where `domain`=RIGHT('".$_SESSION['signup']['email']."', LENGTH(`domain`))";
528 $res = mysql_query($query);
529 if(mysql_num_rows($res) > 0)
530 {
531 $domain = mysql_fetch_assoc($res);
532 $domain = $domain['domain'];
533 $id = 1;
534 $_SESSION['_config']['errmsg'] .= sprintf(_("We don't allow signups from people using email addresses from %s"), $domain)."<br>\n";
535 }
536 }
537
538 if($id == 2)
539 {
540 $checkemail = checkEmail($_SESSION['signup']['email']);
541 if($checkemail != "OK")
542 {
543 $id = 1;
544 if (substr($checkemail, 0, 1) == "4")
545 {
546 $_SESSION['_config']['errmsg'] .= _("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.");
547 } else {
548 $_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid");
549 }
550 $_SESSION['_config']['errmsg'] .= "<br>\n$checkemail<br>\n";
551 }
552 }
553
554 if($id == 2)
555 {
556 $hash = make_hash();
557
558 $query = "insert into `users` set `email`='".$_SESSION['signup']['email']."',
559 `password`=sha1('".$_SESSION['signup']['pword1']."'),
560 `fname`='".$_SESSION['signup']['fname']."',
561 `mname`='".$_SESSION['signup']['mname']."',
562 `lname`='".$_SESSION['signup']['lname']."',
563 `suffix`='".$_SESSION['signup']['suffix']."',
564 `dob`='".$_SESSION['signup']['year']."-".$_SESSION['signup']['month']."-".$_SESSION['signup']['day']."',
565 `Q1`='".$_SESSION['signup']['Q1']."',
566 `Q2`='".$_SESSION['signup']['Q2']."',
567 `Q3`='".$_SESSION['signup']['Q3']."',
568 `Q4`='".$_SESSION['signup']['Q4']."',
569 `Q5`='".$_SESSION['signup']['Q5']."',
570 `A1`='".$_SESSION['signup']['A1']."',
571 `A2`='".$_SESSION['signup']['A2']."',
572 `A3`='".$_SESSION['signup']['A3']."',
573 `A4`='".$_SESSION['signup']['A4']."',
574 `A5`='".$_SESSION['signup']['A5']."',
575 `created`=NOW(), `uniqueID`=SHA1(CONCAT(NOW(),'$hash'))";
576 mysql_query($query);
577 $memid = mysql_insert_id();
578 $query = "insert into `email` set `email`='".$_SESSION['signup']['email']."',
579 `hash`='$hash',
580 `created`=NOW(),
581 `memid`='$memid'";
582 mysql_query($query);
583 $emailid = mysql_insert_id();
584 $query = "insert into `alerts` set `memid`='$memid',
585 `general`='".$_SESSION['signup']['general']."',
586 `country`='".$_SESSION['signup']['country']."',
587 `regional`='".$_SESSION['signup']['regional']."',
588 `radius`='".$_SESSION['signup']['radius']."'";
589 mysql_query($query);
590 write_user_agreement($memid, "CCA", "account creation", "", 1);
591
592 $body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
593 $body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n";
594 $body .= _("Best regards")."\n"._("CAcert.org Support!");
595
596 sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
597 foreach($_SESSION['signup'] as $key => $val)
598 $_SESSION['signup'][$key] = "";
599 unset($_SESSION['signup']);
600 }
601 }
602
603 if($oldid == 11 && $process != "")
604 {
605 $who = stripslashes($_REQUEST['who']);
606 $email = stripslashes($_REQUEST['email']);
607 $subject = stripslashes($_REQUEST['subject']);
608 $message = stripslashes($_REQUEST['message']);
609 $secrethash = $_REQUEST['secrethash2'];
610
611 //check for spam via honeypot
612 if(!isset($_REQUEST['robotest']) || !empty($_REQUEST['robotest'])){
613 echo _("Form could not be sent.");
614 showfooter();
615 exit;
616 }
617
618 if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "")
619 {
620 $id = $oldid;
621 $process = "";
622 $_SESSION['_config']['errmsg'] = _("This seems like you have cookies or Javascript disabled, cannot continue.");
623 $oldid = 0;
624
625 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
626 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
627 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
628 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
629 echo _("This seems like you have cookies or Javascript disabled, cannot continue.");
630 die;
631 }
632 if(strstr($subject, "botmetka") || strstr($subject, "servermetka") || strstr($who,"\n") || strstr($email,"\n") || strstr($subject,"\n") )
633 {
634 $id = $oldid;
635 $process = "";
636 $_SESSION['_config']['errmsg'] = _("This seems like potential spam, cannot continue.");
637 $oldid = 0;
638
639 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
640 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
641 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
642 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
643 echo _("This seems like potential spam, cannot continue.");
644 die;
645 }
646
647
648 if(trim($who) == "" || trim($email) == "" || trim($subject) == "" || trim($message) == "")
649 {
650 $id = $oldid;
651 $process = "";
652 $_SESSION['_config']['errmsg'] = _("All fields are mandatory.")."<br>\n";
653 $oldid = 0;
654 }
655 }
656
657 if($oldid == 11 && $process != "")
658 {
659 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
660 if (isset($process[0])){
661 sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
662 showheader(_("Welcome to CAcert.org"));
663 echo _("Your message has been sent to the general support list.");
664 showfooter();
665 exit;
666 }
667 if (isset($process[1])){
668 sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
669 showheader(_("Welcome to CAcert.org"));
670 echo _("Your message has been sent.");
671 showfooter();
672 exit;
673 }
674 }
675
676 if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)
677 $_SESSION['signup']['year'] = "19XX";
678
679 if ($id == 12)
680 {
681 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
682 $newUrl = $protocol . '://wiki.cacert.org/FAQ/AboutUs';
683 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
684 }
685
686 if ($id == 19)
687 {
688 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
689 $newUrl = $protocol . '://wiki.cacert.org/FAQ/Privileges';
690 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
691 }
692
693 if ($id == 8)
694 {
695 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
696 $newUrl = $protocol . '://wiki.cacert.org/Board';
697 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
698 }
699
700
701 showheader(_("Welcome to CAcert.org"));
702 includeit($id);
703 showfooter();
704 ?>