bug 1192: typo fix in index/52.php, logical fix in index.php
[cacert-devel.git] / www / index.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */
18
19 require_once('../includes/lib/l10n.php');
20 require_once('../includes/notary.inc.php');
21
22 $id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
23 $oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
24 $process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
25
26 if($id == 2)
27 $id = 0;
28
29 $_SESSION['_config']['errmsg'] = "";
30 $ccatest=0;
31
32 if($id == 17 || $id == 20)
33 {
34 include_once("../pages/index/$id.php");
35 exit;
36 }
37
38 loadem("index");
39
40 $_SESSION['_config']['hostname'] = $_SERVER['HTTP_HOST'];
41
42 if(($oldid == 6 || $id == 6) && intval($_SESSION['lostpw']['user']['id']) < 1)
43 {
44 $oldid = 0;
45 $id = 5;
46 }
47
48 if($oldid == 6 && $process != "")
49 {
50 $body = "";
51 $answers = 0;
52 $qs = array();
53 $id = $oldid;
54 $oldid = 0;
55 if(array_key_exists('Q1',$_REQUEST) && $_REQUEST['Q1'])
56 {
57 $_SESSION['lostpw']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
58
59 if(stripslashes(strtolower($_SESSION['lostpw']['A1'])) == strtolower($_SESSION['lostpw']['user']['A1']))
60 $answers++;
61 $body .= "System: ".$_SESSION['lostpw']['user']['A1']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A1']))."\n";
62 }
63 if(array_key_exists('Q2',$_REQUEST) && $_REQUEST['Q2'])
64 {
65 $_SESSION['lostpw']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
66
67 if(stripslashes(strtolower($_SESSION['lostpw']['A2'])) == strtolower($_SESSION['lostpw']['user']['A2']))
68 $answers++;
69 $body .= "System: ".$_SESSION['lostpw']['user']['A2']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A2']))."\n";
70 }
71 if(array_key_exists('Q3',$_REQUEST) && $_REQUEST['Q3'])
72 {
73 $_SESSION['lostpw']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
74
75 if(stripslashes(strtolower($_SESSION['lostpw']['A3'])) == strtolower($_SESSION['lostpw']['user']['A3']))
76 $answers++;
77 $body .= "System: ".$_SESSION['lostpw']['user']['A3']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A3']))."\n";
78 }
79 if(array_key_exists('Q4',$_REQUEST) && $_REQUEST['Q4'])
80 {
81 $_SESSION['lostpw']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
82
83 if(stripslashes(strtolower($_SESSION['lostpw']['A4'])) == strtolower($_SESSION['lostpw']['user']['A4']))
84 $answers++;
85 $body .= "System: ".$_SESSION['lostpw']['user']['A4']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A4']))."\n";
86 }
87 if(array_key_exists('Q5',$_REQUEST) && $_REQUEST['Q5'])
88 {
89 $_SESSION['lostpw']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
90
91 if(stripslashes(strtolower($_SESSION['lostpw']['A5'])) == strtolower($_SESSION['lostpw']['user']['A5']))
92 $answers++;
93 $body .= "System: ".$_SESSION['lostpw']['user']['A5']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A5']))."\n";
94 }
95
96 $_SESSION['lostpw']['pw1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass1']))));
97 $_SESSION['lostpw']['pw2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass2']))));
98
99 if($answers < $_SESSION['lostpw']['total'] || $answers < 3)
100 {
101 $body = "Someone has just attempted to update the pass phrase on the following account:\n".
102 "Username(ID): ".$_SESSION['lostpw']['user']['email']."(".$_SESSION['lostpw']['user']['id'].")\n".
103 "email: ".$_SESSION['lostpw']['user']['email']."\n".
104 "IP/Hostname: ".$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:"")."\n".
105 "---------------------------------------------------------------------\n".$body.
106 "---------------------------------------------------------------------\n";
107 sendmail("support@cacert.org", "[CAcert.org] Requested Pass Phrase Change", $body,
108 $_SESSION['lostpw']['user']['email'], "", "", $_SESSION['lostpw']['user']['fname']);
109 $_SESSION['_config']['errmsg'] = _("You failed to get all answers correct or you didn't configure enough lost password questions for your account. System admins have been notified.");
110 } else if($_SESSION['lostpw']['pw1'] != $_SESSION['lostpw']['pw2'] || $_SESSION['lostpw']['pw1'] == "") {
111 $_SESSION['_config']['errmsg'] = _("New Pass Phrases specified don't match or were blank.");
112 } else if(strlen($_SESSION['lostpw']['pw1']) < 6) {
113 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted was too short. It must be at least 6 characters.");
114 } else {
115 $score = checkpw($_SESSION['lostpw']['pw1'], $_SESSION['lostpw']['user']['email'], $_SESSION['lostpw']['user']['fname'],
116 $_SESSION['lostpw']['user']['mname'], $_SESSION['lostpw']['user']['lname'], $_SESSION['lostpw']['user']['suffix']);
117 if($score < 3)
118 {
119 $_SESSION['_config']['errmsg'] = sprintf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
120 } else {
121 $query = "update `users` set `password`=sha1('".$_SESSION['lostpw']['pw1']."')
122 where `id`='".intval($_SESSION['lostpw']['user']['id'])."'";
123 mysql_query($query) || die(mysql_error());
124 showheader(_("Welcome to CAcert.org"));
125 echo _("Your Pass Phrase has been changed now. You can now login with your new password.");
126 showfooter();
127 exit;
128 }
129 }
130 }
131
132 if($oldid == 5 && $process != "")
133 {
134 $email = $_SESSION['lostpw']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
135 $_SESSION['lostpw']['day'] = intval($_REQUEST['day']);
136 $_SESSION['lostpw']['month'] = intval($_REQUEST['month']);
137 $_SESSION['lostpw']['year'] = intval($_REQUEST['year']);
138 $dob = $_SESSION['lostpw']['year']."-".$_SESSION['lostpw']['month']."-".$_SESSION['lostpw']['day'];
139 $query = "select * from `users` where `email`='$email' and `dob`='$dob'";
140 $res = mysql_query($query);
141 if(mysql_num_rows($res) <= 0)
142 {
143 $id = $oldid;
144 $oldid = 0;
145 $_SESSION['_config']['errmsg'] = _("Unable to match your details with any user accounts on file");
146 } else {
147 $id = 6;
148 $_SESSION['lostpw']['user'] = mysql_fetch_assoc($res);
149 }
150 }
151
152 //client login
153 if($id == 4 && $_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'])
154 {
155 include_once("../includes/lib/general.php");
156 $user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'],
157 $_SERVER['SSL_CLIENT_I_DN_CN']);
158
159 if($user_id >= 0)
160 {
161 $_SESSION['profile'] = mysql_fetch_assoc(mysql_query(
162 "select * from `users` where
163 `id`='$user_id' and `deleted`=0 and `locked`=0"));
164 $ccatest=get_user_agreement_status($user_id,'CCA');
165
166 if($_SESSION['profile']['id'] != 0)
167 {
168 $cca=get_last_user_agreement($user_id);
169 echo '###0###'.$cca['active'];
170 if (!isset($cca['active'])){
171 $id=52;
172 $ccatest=TRUE;
173 }else{
174 $_SESSION['profile']['loggedin'] = 1;
175 header('location: https://'.$_SERVER['HTTP_HOST'].'/account.php');
176 echo '###1###'.$cca['active'];
177 exit;
178 }
179 } else {
180 $_SESSION['profile']['loggedin'] = 0;
181 }
182 }
183 }
184
185
186 if($id == 4 && array_key_exists('profile',$_SESSION) && array_key_exists('loggedin',array($_SESSION['profile'])) && $_SESSION['profile']['loggedin'] == 1)
187 {
188 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
189 echo '###2###'.$cca['active'];
190 exit;
191 }
192
193 function getOTP64($otp)
194 {
195 $lookupChar = "123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*!-?%:";
196
197 for($i = 0; $i < 6; $i++)
198 $val[$i] = hexdec(substr($otp, $i * 2, 2));
199
200 $tmp1 = $val[0] >> 2;
201 $OTP = $lookupChar[$tmp1 & 63];
202 $tmp2 = $val[0] - ($tmp1 << 2);
203 $tmp1 = $val[1] >> 4;
204 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
205 $tmp2 = $val[1] - ($tmp1 << 4);
206 $tmp1 = $val[2] >> 6;
207 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
208 $tmp2 = $val[2] - ($tmp1 << 6);
209 $OTP .= $lookupChar[$tmp2 & 63];
210 $tmp1 = $val[3] >> 2;
211 $OTP .= $lookupChar[$tmp1 & 63];
212 $tmp2 = $val[3] - ($tmp1 << 2);
213 $tmp1 = $val[4] >> 4;
214 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
215 $tmp2 = $val[4] - ($tmp1 << 4);
216 $tmp1 = $val[5] >> 6;
217 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
218 $tmp2 = $val[5] - ($tmp1 << 6);
219 $OTP .= $lookupChar[$tmp2 & 63];
220
221 return $OTP;
222 }
223
224 function getOTP32($otp)
225 {
226 $lookupChar = "0123456789abcdefghkmnoprstuvwxyz";
227
228 for($i = 0; $i < 7; $i++)
229 $val[$i] = hexdec(substr($otp, $i * 2, 2));
230
231 $tmp1 = $val[0] >> 3;
232 $OTP = $lookupChar[$tmp1 & 31];
233 $tmp2 = $val[0] - ($tmp1 << 3);
234 $tmp1 = $val[1] >> 6;
235 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
236 $tmp2 = ($val[1] - ($tmp1 << 6)) >> 1;
237 $OTP .= $lookupChar[$tmp2 & 31];
238 $tmp2 = $val[1] - (($val[1] >> 1) << 1);
239 $tmp1 = $val[2] >> 4;
240 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
241 $tmp2 = $val[2] - ($tmp1 << 4);
242 $tmp1 = $val[3] >> 7;
243 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
244 $tmp2 = ($val[3] - ($tmp1 << 7)) >> 2;
245 $OTP .= $lookupChar[$tmp2 & 31];
246 $tmp2 = $val[3] - (($val[3] - ($tmp1 << 7)) >> 2) << 2;
247 $tmp1 = $val[4] >> 5;
248 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
249 $tmp2 = $val[4] - ($tmp1 << 5);
250 $OTP .= $lookupChar[$tmp2 & 31];
251 $tmp1 = $val[5] >> 3;
252 $OTP .= $lookupChar[$tmp1 & 31];
253 $tmp2 = $val[5] - ($tmp1 << 3);
254 $tmp1 = $val[6] >> 6;
255 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
256
257 return $OTP;
258 }
259
260 if($oldid == 4)
261 {
262 $oldid = 0;
263 $id = 4;
264
265 $_SESSION['_config']['errmsg'] = "";
266
267 $email = mysql_escape_string(stripslashes(strip_tags(trim($_REQUEST['email']))));
268 $pword = mysql_escape_string(stripslashes(trim($_REQUEST['pword'])));
269 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
270 `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
271 $res = mysql_query($query);
272 if(mysql_num_rows($res) <= 0)
273 {
274 $otpquery = "select * from `users` where `email`='$email' and `otphash`!='' and `verified`=1 and `deleted`=0 and `locked`=0";
275 $otpres = mysql_query($otpquery);
276 if(mysql_num_rows($otpres) > 0)
277 {
278 $otp = mysql_fetch_assoc($otpres);
279 $otphash = $otp['otphash'];
280 $otppin = $otp['otppin'];
281 if(strlen($pword) == 6)
282 {
283 $matchperiod = 18;
284 $time = round(gmdate("U") / 10);
285 } else {
286 $matchperiod = 3;
287 $time = round(gmdate("U") / 60);
288 }
289
290 $query = "delete from `otphashes` where UNIX_TIMESTAMP(`when`) <= UNIX_TIMESTAMP(NOW()) - 600";
291 mysql_query($query);
292
293 $query = "select * from `otphashes` where `username`='$email' and `otp`='$pword'";
294 if(mysql_num_rows(mysql_query($query)) <= 0)
295 {
296 $query = "insert into `otphashes` set `when`=NOW(), `username`='$email', `otp`='$pword'";
297 mysql_query($query);
298 for($i = $time - $matchperiod; $i <= $time + $matchperiod * 2; $i++)
299 {
300 if($otppin > 0)
301 $tmpmd5 = md5("$i$otphash$otppin");
302 else
303 $tmpmd5 = md5("$i$otphash");
304
305 if(strlen($pword) == 6)
306 $md5 = substr(md5("$i$otphash"), 0, 6);
307 else if(strlen($pword) == 8)
308 $md5 = getOTP64(md5("$i$otphash"));
309 else
310 $md5 = getOTP32(md5("$i$otphash"));
311
312 if($pword == $md5)
313 $res = mysql_query($otpquery);
314 }
315 }
316 }
317 }
318 if(mysql_num_rows($res) > 0)
319 {
320 $_SESSION['profile'] = "";
321 unset($_SESSION['profile']);
322 $_SESSION['profile'] = mysql_fetch_assoc($res);
323 $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".$_SESSION['profile']['id']."'";
324 mysql_query($query);
325
326 if($_SESSION['profile']['language'] == "")
327 {
328 $query = "update `users` set `language`='".L10n::get_translation()."'
329 where `id`='".$_SESSION['profile']['id']."'";
330 mysql_query($query);
331 } else {
332 L10n::set_translation($_SESSION['profile']['language']);
333 L10n::init_gettext();
334 }
335 $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
336 $res = mysql_query($query);
337 $row = mysql_fetch_assoc($res);
338 $_SESSION['profile']['points'] = $row['total'];
339 $_SESSION['profile']['loggedin'] = 1;
340 if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" ||
341 $_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" ||
342 $_SESSION['profile']['Q5'] == "")
343 {
344 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
345 $_SESSION['_config']['oldlocation'] = "account.php?id=13";
346 }
347 if (checkpwlight($pword) < 3)
348 $_SESSION['_config']['oldlocation'] = "account.php?id=14&force=1";
349 $ccatest=get_user_agreement_status($_SESSION['profile']['id'],'CCA');
350 if($_SESSION['_config']['oldlocation'] != ""){
351 header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
352 }else{
353 if (0==$ccatest) {
354 $id=52;
355 header("location: https://".$_SERVER['HTTP_HOST']."/index.php?id=52");
356 }else{
357 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
358 }
359 }
360 exit;
361 }
362
363 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
364 `password`=password('$pword')) and `verified`=0 and `deleted`=0";
365 $res = mysql_query($query);
366 if(mysql_num_rows($res) <= 0)
367 {
368 $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
369 } else {
370 $_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");
371 }
372 }
373
374 // check for CCA acceptance prior to login
375 if ($id == 52 )
376 {
377 $ccatest=get_user_agreement_status($_SESSION['profile']['id'],'CCA');
378 $agree = ""; if(array_key_exists('agree',$_REQUEST)) $agree=$_REQUEST['agree'];
379 if (!$agree) {
380 $_SESSION['profile']['loggedin'] = 0;
381 $id=4;
382 }else{
383 write_user_agreement($_SESSION['profile']['id'], "CCA", "Login acception", "", 1);
384 $_SESSION['profile']['loggedin'] = 1;
385 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
386 exit;
387 }
388 }
389
390
391 if($process && $oldid == 1)
392 {
393 $id = 2;
394 $oldid = 0;
395
396 $_SESSION['_config']['errmsg'] = "";
397
398 $_SESSION['signup']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
399 $_SESSION['signup']['fname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['fname']))));
400 $_SESSION['signup']['mname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['mname']))));
401 $_SESSION['signup']['lname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['lname']))));
402 $_SESSION['signup']['suffix'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['suffix']))));
403 $_SESSION['signup']['day'] = intval($_REQUEST['day']);
404 $_SESSION['signup']['month'] = intval($_REQUEST['month']);
405 $_SESSION['signup']['year'] = intval($_REQUEST['year']);
406 $_SESSION['signup']['pword1'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword1'])));
407 $_SESSION['signup']['pword2'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword2'])));
408 $_SESSION['signup']['Q1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q1']))));
409 $_SESSION['signup']['Q2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q2']))));
410 $_SESSION['signup']['Q3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q3']))));
411 $_SESSION['signup']['Q4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q4']))));
412 $_SESSION['signup']['Q5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q5']))));
413 $_SESSION['signup']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
414 $_SESSION['signup']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
415 $_SESSION['signup']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
416 $_SESSION['signup']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
417 $_SESSION['signup']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
418 $_SESSION['signup']['general'] = intval(array_key_exists('general',$_REQUEST)?$_REQUEST['general']:0);
419 $_SESSION['signup']['country'] = intval(array_key_exists('country',$_REQUEST)?$_REQUEST['country']:0);
420 $_SESSION['signup']['regional'] = intval(array_key_exists('regional',$_REQUEST)?$_REQUEST['regional']:0);
421 $_SESSION['signup']['radius'] = intval(array_key_exists('radius',$_REQUEST)?$_REQUEST['radius']:0);
422 $_SESSION['signup']['cca_agree'] = intval(array_key_exists('cca_agree',$_REQUEST)?$_REQUEST['cca_agree']:0);
423
424
425 if($_SESSION['signup']['Q1'] == $_SESSION['signup']['Q2'] ||
426 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q3'] ||
427 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q4'] ||
428 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q5'] ||
429 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q3'] ||
430 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q4'] ||
431 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q5'] ||
432 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q4'] ||
433 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q5'] ||
434 $_SESSION['signup']['Q4'] == $_SESSION['signup']['Q5'] ||
435 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q1'] ||
436 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q2'] ||
437 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q3'] ||
438 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q4'] ||
439 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q5'] ||
440 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q3'] ||
441 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q4'] ||
442 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q5'] ||
443 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q4'] ||
444 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q5'] ||
445 $_SESSION['signup']['A4'] == $_SESSION['signup']['Q5'] ||
446 $_SESSION['signup']['A1'] == $_SESSION['signup']['A2'] ||
447 $_SESSION['signup']['A1'] == $_SESSION['signup']['A3'] ||
448 $_SESSION['signup']['A1'] == $_SESSION['signup']['A4'] ||
449 $_SESSION['signup']['A1'] == $_SESSION['signup']['A5'] ||
450 $_SESSION['signup']['A2'] == $_SESSION['signup']['A3'] ||
451 $_SESSION['signup']['A2'] == $_SESSION['signup']['A4'] ||
452 $_SESSION['signup']['A2'] == $_SESSION['signup']['A5'] ||
453 $_SESSION['signup']['A3'] == $_SESSION['signup']['A4'] ||
454 $_SESSION['signup']['A3'] == $_SESSION['signup']['A5'] ||
455 $_SESSION['signup']['A4'] == $_SESSION['signup']['A5'])
456 {
457 $id = 1;
458 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
459 }
460
461 if($_SESSION['signup']['Q1'] == "" || $_SESSION['signup']['Q2'] == "" ||
462 $_SESSION['signup']['Q3'] == "" || $_SESSION['signup']['Q4'] == "" ||
463 $_SESSION['signup']['Q5'] == "")
464 {
465 $id = 1;
466 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>\n";
467 }
468 if($_SESSION['signup']['fname'] == "" || $_SESSION['signup']['lname'] == "")
469 {
470 $id = 1;
471 $_SESSION['_config']['errmsg'] .= _("First and/or last names were blank.")."<br>\n";
472 }
473 if($_SESSION['signup']['year'] < 1900 || $_SESSION['signup']['month'] < 1 || $_SESSION['signup']['month'] > 12 ||
474 $_SESSION['signup']['day'] < 1 || $_SESSION['signup']['day'] > 31 ||
475 !checkdate($_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) ||
476 mktime(0,0,0,$_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) > time() )
477 {
478 $id = 1;
479 $_SESSION['_config']['errmsg'] .= _("Invalid date of birth")."<br>\n";
480 }
481 if($_SESSION['signup']['cca_agree'] == "0")
482 {
483 $id = 1;
484 $_SESSION['_config']['errmsg'] .= _("You have to agree to the CAcert Community agreement.")."<br>\n";
485 }
486 if($_SESSION['signup']['email'] == "")
487 {
488 $id = 1;
489 $_SESSION['_config']['errmsg'] .= _("Email Address was blank")."<br>\n";
490 }
491 if($_SESSION['signup']['pword1'] == "")
492 {
493 $id = 1;
494 $_SESSION['_config']['errmsg'] .= _("Pass Phrases were blank")."<br>\n";
495 }
496 if($_SESSION['signup']['pword1'] != $_SESSION['signup']['pword2'])
497 {
498 $id = 1;
499 $_SESSION['_config']['errmsg'] .= _("Pass Phrases don't match")."<br>\n";
500 }
501
502 $score = checkpw($_SESSION['signup']['pword1'], $_SESSION['signup']['email'], $_SESSION['signup']['fname'], $_SESSION['signup']['mname'], $_SESSION['signup']['lname'], $_SESSION['signup']['suffix']);
503 if($score < 3)
504 {
505 $id = 1;
506 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored $score points out of 6.");
507 }
508
509 if($id == 2)
510 {
511 $query = "select * from `email` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
512 $res1 = mysql_query($query);
513
514 $query = "select * from `users` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
515 $res2 = mysql_query($query);
516 if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0)
517 {
518 $id = 1;
519 $_SESSION['_config']['errmsg'] .= _("This email address is currently valid in the system.")."<br>\n";
520 }
521
522 $query = "select `domain` from `baddomains` where `domain`=RIGHT('".$_SESSION['signup']['email']."', LENGTH(`domain`))";
523 $res = mysql_query($query);
524 if(mysql_num_rows($res) > 0)
525 {
526 $domain = mysql_fetch_assoc($res);
527 $domain = $domain['domain'];
528 $id = 1;
529 $_SESSION['_config']['errmsg'] .= sprintf(_("We don't allow signups from people using email addresses from %s"), $domain)."<br>\n";
530 }
531 }
532
533 if($id == 2)
534 {
535 $checkemail = checkEmail($_SESSION['signup']['email']);
536 if($checkemail != "OK")
537 {
538 $id = 1;
539 if (substr($checkemail, 0, 1) == "4")
540 {
541 $_SESSION['_config']['errmsg'] .= _("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.");
542 } else {
543 $_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid");
544 }
545 $_SESSION['_config']['errmsg'] .= "<br>\n$checkemail<br>\n";
546 }
547 }
548
549 if($id == 2)
550 {
551 $hash = make_hash();
552
553 $query = "insert into `users` set `email`='".$_SESSION['signup']['email']."',
554 `password`=sha1('".$_SESSION['signup']['pword1']."'),
555 `fname`='".$_SESSION['signup']['fname']."',
556 `mname`='".$_SESSION['signup']['mname']."',
557 `lname`='".$_SESSION['signup']['lname']."',
558 `suffix`='".$_SESSION['signup']['suffix']."',
559 `dob`='".$_SESSION['signup']['year']."-".$_SESSION['signup']['month']."-".$_SESSION['signup']['day']."',
560 `Q1`='".$_SESSION['signup']['Q1']."',
561 `Q2`='".$_SESSION['signup']['Q2']."',
562 `Q3`='".$_SESSION['signup']['Q3']."',
563 `Q4`='".$_SESSION['signup']['Q4']."',
564 `Q5`='".$_SESSION['signup']['Q5']."',
565 `A1`='".$_SESSION['signup']['A1']."',
566 `A2`='".$_SESSION['signup']['A2']."',
567 `A3`='".$_SESSION['signup']['A3']."',
568 `A4`='".$_SESSION['signup']['A4']."',
569 `A5`='".$_SESSION['signup']['A5']."',
570 `created`=NOW(), `uniqueID`=SHA1(CONCAT(NOW(),'$hash'))";
571 mysql_query($query);
572 $memid = mysql_insert_id();
573 $query = "insert into `email` set `email`='".$_SESSION['signup']['email']."',
574 `hash`='$hash',
575 `created`=NOW(),
576 `memid`='$memid'";
577 mysql_query($query);
578 $emailid = mysql_insert_id();
579 $query = "insert into `alerts` set `memid`='$memid',
580 `general`='".$_SESSION['signup']['general']."',
581 `country`='".$_SESSION['signup']['country']."',
582 `regional`='".$_SESSION['signup']['regional']."',
583 `radius`='".$_SESSION['signup']['radius']."'";
584 mysql_query($query);
585 write_user_agreement($memid, "CCA", "account creation", "", 1);
586
587 $body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
588 $body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n";
589 $body .= _("Best regards")."\n"._("CAcert.org Support!");
590
591 sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
592 foreach($_SESSION['signup'] as $key => $val)
593 $_SESSION['signup'][$key] = "";
594 unset($_SESSION['signup']);
595 }
596 }
597
598 if($oldid == 11 && $process != "")
599 {
600 $who = stripslashes($_REQUEST['who']);
601 $email = stripslashes($_REQUEST['email']);
602 $subject = stripslashes($_REQUEST['subject']);
603 $message = stripslashes($_REQUEST['message']);
604 $secrethash = $_REQUEST['secrethash2'];
605
606 //check for spam via honeypot
607 if(!isset($_REQUEST['robotest']) || !empty($_REQUEST['robotest'])){
608 echo _("Form could not be sent.");
609 showfooter();
610 exit;
611 }
612
613 if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "")
614 {
615 $id = $oldid;
616 $process = "";
617 $_SESSION['_config']['errmsg'] = _("This seems like you have cookies or Javascript disabled, cannot continue.");
618 $oldid = 0;
619
620 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
621 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
622 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
623 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
624 echo _("This seems like you have cookies or Javascript disabled, cannot continue.");
625 die;
626 }
627 if(strstr($subject, "botmetka") || strstr($subject, "servermetka") || strstr($who,"\n") || strstr($email,"\n") || strstr($subject,"\n") )
628 {
629 $id = $oldid;
630 $process = "";
631 $_SESSION['_config']['errmsg'] = _("This seems like potential spam, cannot continue.");
632 $oldid = 0;
633
634 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
635 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
636 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
637 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
638 echo _("This seems like potential spam, cannot continue.");
639 die;
640 }
641
642
643 if(trim($who) == "" || trim($email) == "" || trim($subject) == "" || trim($message) == "")
644 {
645 $id = $oldid;
646 $process = "";
647 $_SESSION['_config']['errmsg'] = _("All fields are mandatory.")."<br>\n";
648 $oldid = 0;
649 }
650 }
651
652 if($oldid == 11 && $process != "")
653 {
654 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
655 if (isset($process[0])){
656 sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
657 showheader(_("Welcome to CAcert.org"));
658 echo _("Your message has been sent to the general support list.");
659 showfooter();
660 exit;
661 }
662 if (isset($process[1])){
663 sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
664 showheader(_("Welcome to CAcert.org"));
665 echo _("Your message has been sent.");
666 showfooter();
667 exit;
668 }
669 }
670
671 if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)
672 $_SESSION['signup']['year'] = "19XX";
673
674 if ($id == 12)
675 {
676 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
677 $newUrl = $protocol . '://wiki.cacert.org/FAQ/AboutUs';
678 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
679 }
680
681 if ($id == 19)
682 {
683 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
684 $newUrl = $protocol . '://wiki.cacert.org/FAQ/Privileges';
685 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
686 }
687
688 if ($id == 8)
689 {
690 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
691 $newUrl = $protocol . '://wiki.cacert.org/Board';
692 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
693 }
694
695
696 showheader(_("Welcome to CAcert.org"));
697 includeit($id);
698 showfooter();
699 ?>