Typos...
[cacert-devel.git] / www / index.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */
18
19 require_once('../includes/lib/l10n.php');
20
21 $id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
22 $oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
23 $process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
24
25 if($id == 2)
26 $id = 0;
27
28 $_SESSION['_config']['errmsg'] = "";
29
30 if($id == 17 || $id == 20)
31 {
32 include_once("../pages/index/$id.php");
33 exit;
34 }
35
36 loadem("index");
37
38 $_SESSION['_config']['hostname'] = $_SERVER['HTTP_HOST'];
39
40 if(($oldid == 6 || $id == 6) && intval($_SESSION['lostpw']['user']['id']) < 1)
41 {
42 $oldid = 0;
43 $id = 5;
44 }
45
46 if($oldid == 6 && $process != "")
47 {
48 $body = "";
49 $answers = 0;
50 $qs = array();
51 $id = $oldid;
52 $oldid = 0;
53 if(array_key_exists('Q1',$_REQUEST) && $_REQUEST['Q1'])
54 {
55 $_SESSION['lostpw']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
56
57 if(stripslashes(strtolower($_SESSION['lostpw']['A1'])) == strtolower($_SESSION['lostpw']['user']['A1']))
58 $answers++;
59 $body .= "System: ".$_SESSION['lostpw']['user']['A1']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A1']))."\n";
60 }
61 if(array_key_exists('Q2',$_REQUEST) && $_REQUEST['Q2'])
62 {
63 $_SESSION['lostpw']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
64
65 if(stripslashes(strtolower($_SESSION['lostpw']['A2'])) == strtolower($_SESSION['lostpw']['user']['A2']))
66 $answers++;
67 $body .= "System: ".$_SESSION['lostpw']['user']['A2']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A2']))."\n";
68 }
69 if(array_key_exists('Q3',$_REQUEST) && $_REQUEST['Q3'])
70 {
71 $_SESSION['lostpw']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
72
73 if(stripslashes(strtolower($_SESSION['lostpw']['A3'])) == strtolower($_SESSION['lostpw']['user']['A3']))
74 $answers++;
75 $body .= "System: ".$_SESSION['lostpw']['user']['A3']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A3']))."\n";
76 }
77 if(array_key_exists('Q4',$_REQUEST) && $_REQUEST['Q4'])
78 {
79 $_SESSION['lostpw']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
80
81 if(stripslashes(strtolower($_SESSION['lostpw']['A4'])) == strtolower($_SESSION['lostpw']['user']['A4']))
82 $answers++;
83 $body .= "System: ".$_SESSION['lostpw']['user']['A4']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A4']))."\n";
84 }
85 if(array_key_exists('Q5',$_REQUEST) && $_REQUEST['Q5'])
86 {
87 $_SESSION['lostpw']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
88
89 if(stripslashes(strtolower($_SESSION['lostpw']['A5'])) == strtolower($_SESSION['lostpw']['user']['A5']))
90 $answers++;
91 $body .= "System: ".$_SESSION['lostpw']['user']['A5']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A5']))."\n";
92 }
93
94 $_SESSION['lostpw']['pw1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass1']))));
95 $_SESSION['lostpw']['pw2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass2']))));
96
97 if($answers < $_SESSION['lostpw']['total'] || $answers < 3)
98 {
99 $body = "Someone has just attempted to update the pass phrase on the following account:\n".
100 "Username(ID): ".$_SESSION['lostpw']['user']['email']."(".$_SESSION['lostpw']['user']['id'].")\n".
101 "email: ".$_SESSION['lostpw']['user']['email']."\n".
102 "IP/Hostname: ".$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:"")."\n".
103 "---------------------------------------------------------------------\n".$body.
104 "---------------------------------------------------------------------\n";
105 sendmail("support@cacert.org", "[CAcert.org] Requested Pass Phrase Change", $body,
106 $_SESSION['lostpw']['user']['email'], "", "", $_SESSION['lostpw']['user']['fname']);
107 $_SESSION['_config']['errmsg'] = _("You failed to get all answers correct or you didn't configure enough lost password questions for your account. System admins have been notified.");
108 } else if($_SESSION['lostpw']['pw1'] != $_SESSION['lostpw']['pw2'] || $_SESSION['lostpw']['pw1'] == "") {
109 $_SESSION['_config']['errmsg'] = _("New Pass Phrases specified don't match or were blank.");
110 } else if(strlen($_SESSION['lostpw']['pw1']) < 6) {
111 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted was too short. It must be at least 6 characters.");
112 } else {
113 $score = checkpw($_SESSION['lostpw']['pw1'], $_SESSION['lostpw']['user']['email'], $_SESSION['lostpw']['user']['fname'],
114 $_SESSION['lostpw']['user']['mname'], $_SESSION['lostpw']['user']['lname'], $_SESSION['lostpw']['user']['suffix']);
115 if($score < 3)
116 {
117 $_SESSION['_config']['errmsg'] = sprintf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
118 } else {
119 $query = "update `users` set `password`=sha1('".$_SESSION['lostpw']['pw1']."')
120 where `id`='".intval($_SESSION['lostpw']['user']['id'])."'";
121 mysql_query($query) || die(mysql_error());
122 showheader(_("Welcome to CAcert.org"));
123 echo _("Your Pass Phrase has been changed now. You can now login with your new password.");
124 showfooter();
125 exit;
126 }
127 }
128 }
129
130 if($oldid == 5 && $process != "")
131 {
132 $email = $_SESSION['lostpw']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
133 $_SESSION['lostpw']['day'] = intval($_REQUEST['day']);
134 $_SESSION['lostpw']['month'] = intval($_REQUEST['month']);
135 $_SESSION['lostpw']['year'] = intval($_REQUEST['year']);
136 $dob = $_SESSION['lostpw']['year']."-".$_SESSION['lostpw']['month']."-".$_SESSION['lostpw']['day'];
137 $query = "select * from `users` where `email`='$email' and `dob`='$dob'";
138 $res = mysql_query($query);
139 if(mysql_num_rows($res) <= 0)
140 {
141 $id = $oldid;
142 $oldid = 0;
143 $_SESSION['_config']['errmsg'] = _("Unable to match your details with any user accounts on file");
144 } else {
145 $id = 6;
146 $_SESSION['lostpw']['user'] = mysql_fetch_assoc($res);
147 }
148 }
149
150 if($id == 4 && $_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'])
151 {
152 include_once("../includes/lib/general.php");
153 $user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'],
154 $_SERVER['SSL_CLIENT_I_DN_CN']);
155
156 if($user_id >= 0)
157 {
158 $_SESSION['profile'] = mysql_fetch_assoc(mysql_query(
159 "select * from `users` where
160 `id`='$user_id' and `deleted`=0 and `locked`=0"));
161
162 if($_SESSION['profile']['id'] != 0)
163 {
164 $_SESSION['profile']['loggedin'] = 1;
165 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
166 exit;
167 } else {
168 $_SESSION['profile']['loggedin'] = 0;
169 }
170 }
171 }
172
173 if($id == 4 && array_key_exists('profile',$_SESSION) && array_key_exists('loggedin',array($_SESSION['profile'])) && $_SESSION['profile']['loggedin'] == 1)
174 {
175 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
176 exit;
177 }
178
179 function getOTP64($otp)
180 {
181 $lookupChar = "123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*!-?%:";
182
183 for($i = 0; $i < 6; $i++)
184 $val[$i] = hexdec(substr($otp, $i * 2, 2));
185
186 $tmp1 = $val[0] >> 2;
187 $OTP = $lookupChar[$tmp1 & 63];
188 $tmp2 = $val[0] - ($tmp1 << 2);
189 $tmp1 = $val[1] >> 4;
190 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
191 $tmp2 = $val[1] - ($tmp1 << 4);
192 $tmp1 = $val[2] >> 6;
193 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
194 $tmp2 = $val[2] - ($tmp1 << 6);
195 $OTP .= $lookupChar[$tmp2 & 63];
196 $tmp1 = $val[3] >> 2;
197 $OTP .= $lookupChar[$tmp1 & 63];
198 $tmp2 = $val[3] - ($tmp1 << 2);
199 $tmp1 = $val[4] >> 4;
200 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
201 $tmp2 = $val[4] - ($tmp1 << 4);
202 $tmp1 = $val[5] >> 6;
203 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
204 $tmp2 = $val[5] - ($tmp1 << 6);
205 $OTP .= $lookupChar[$tmp2 & 63];
206
207 return $OTP;
208 }
209
210 function getOTP32($otp)
211 {
212 $lookupChar = "0123456789abcdefghkmnoprstuvwxyz";
213
214 for($i = 0; $i < 7; $i++)
215 $val[$i] = hexdec(substr($otp, $i * 2, 2));
216
217 $tmp1 = $val[0] >> 3;
218 $OTP = $lookupChar[$tmp1 & 31];
219 $tmp2 = $val[0] - ($tmp1 << 3);
220 $tmp1 = $val[1] >> 6;
221 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
222 $tmp2 = ($val[1] - ($tmp1 << 6)) >> 1;
223 $OTP .= $lookupChar[$tmp2 & 31];
224 $tmp2 = $val[1] - (($val[1] >> 1) << 1);
225 $tmp1 = $val[2] >> 4;
226 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
227 $tmp2 = $val[2] - ($tmp1 << 4);
228 $tmp1 = $val[3] >> 7;
229 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
230 $tmp2 = ($val[3] - ($tmp1 << 7)) >> 2;
231 $OTP .= $lookupChar[$tmp2 & 31];
232 $tmp2 = $val[3] - (($val[3] - ($tmp1 << 7)) >> 2) << 2;
233 $tmp1 = $val[4] >> 5;
234 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
235 $tmp2 = $val[4] - ($tmp1 << 5);
236 $OTP .= $lookupChar[$tmp2 & 31];
237 $tmp1 = $val[5] >> 3;
238 $OTP .= $lookupChar[$tmp1 & 31];
239 $tmp2 = $val[5] - ($tmp1 << 3);
240 $tmp1 = $val[6] >> 6;
241 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
242
243 return $OTP;
244 }
245
246 if($oldid == 4)
247 {
248 $oldid = 0;
249 $id = 4;
250
251 $_SESSION['_config']['errmsg'] = "";
252
253 $email = mysql_escape_string(stripslashes(strip_tags(trim($_REQUEST['email']))));
254 $pword = mysql_escape_string(stripslashes(trim($_REQUEST['pword'])));
255 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
256 `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
257 $res = mysql_query($query);
258 if(mysql_num_rows($res) <= 0)
259 {
260 $otpquery = "select * from `users` where `email`='$email' and `otphash`!='' and `verified`=1 and `deleted`=0 and `locked`=0";
261 $otpres = mysql_query($otpquery);
262 if(mysql_num_rows($otpres) > 0)
263 {
264 $otp = mysql_fetch_assoc($otpres);
265 $otphash = $otp['otphash'];
266 $otppin = $otp['otppin'];
267 if(strlen($pword) == 6)
268 {
269 $matchperiod = 18;
270 $time = round(gmdate("U") / 10);
271 } else {
272 $matchperiod = 3;
273 $time = round(gmdate("U") / 60);
274 }
275
276 $query = "delete from `otphashes` where UNIX_TIMESTAMP(`when`) <= UNIX_TIMESTAMP(NOW()) - 600";
277 mysql_query($query);
278
279 $query = "select * from `otphashes` where `username`='$email' and `otp`='$pword'";
280 if(mysql_num_rows(mysql_query($query)) <= 0)
281 {
282 $query = "insert into `otphashes` set `when`=NOW(), `username`='$email', `otp`='$pword'";
283 mysql_query($query);
284 for($i = $time - $matchperiod; $i <= $time + $matchperiod * 2; $i++)
285 {
286 if($otppin > 0)
287 $tmpmd5 = md5("$i$otphash$otppin");
288 else
289 $tmpmd5 = md5("$i$otphash");
290
291 if(strlen($pword) == 6)
292 $md5 = substr(md5("$i$otphash"), 0, 6);
293 else if(strlen($pword) == 8)
294 $md5 = getOTP64(md5("$i$otphash"));
295 else
296 $md5 = getOTP32(md5("$i$otphash"));
297
298 if($pword == $md5)
299 $res = mysql_query($otpquery);
300 }
301 }
302 }
303 }
304 if(mysql_num_rows($res) > 0)
305 {
306 $_SESSION['profile'] = "";
307 unset($_SESSION['profile']);
308 $_SESSION['profile'] = mysql_fetch_assoc($res);
309 $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".$_SESSION['profile']['id']."'";
310 mysql_query($query);
311
312 if($_SESSION['profile']['language'] == "")
313 {
314 $query = "update `users` set `language`='".L10n::get_translation()."'
315 where `id`='".$_SESSION['profile']['id']."'";
316 mysql_query($query);
317 } else {
318 L10n::set_translation($_SESSION['profile']['language']);
319 L10n::init_gettext();
320 }
321 $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
322 $res = mysql_query($query);
323 $row = mysql_fetch_assoc($res);
324 $_SESSION['profile']['points'] = $row['total'];
325 $_SESSION['profile']['loggedin'] = 1;
326 if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" ||
327 $_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" ||
328 $_SESSION['profile']['Q5'] == "")
329 {
330 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
331 $_SESSION['_config']['oldlocation'] = "account.php?id=13";
332 }
333 if (checkpwlight($pword) < 3)
334 $_SESSION['_config']['oldlocation'] = "account.php?id=14&force=1";
335 if($_SESSION['_config']['oldlocation'] != "")
336 header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
337 else
338 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
339 exit;
340 }
341
342 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
343 `password`=password('$pword')) and `verified`=0 and `deleted`=0";
344 $res = mysql_query($query);
345 if(mysql_num_rows($res) <= 0)
346 {
347 $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
348 } else {
349 $_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");
350 }
351 }
352
353 if($process && $oldid == 1)
354 {
355 $id = 2;
356 $oldid = 0;
357
358 $_SESSION['_config']['errmsg'] = "";
359
360 $_SESSION['signup']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
361 $_SESSION['signup']['fname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['fname']))));
362 $_SESSION['signup']['mname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['mname']))));
363 $_SESSION['signup']['lname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['lname']))));
364 $_SESSION['signup']['suffix'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['suffix']))));
365 $_SESSION['signup']['day'] = intval($_REQUEST['day']);
366 $_SESSION['signup']['month'] = intval($_REQUEST['month']);
367 $_SESSION['signup']['year'] = intval($_REQUEST['year']);
368 $_SESSION['signup']['pword1'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword1'])));
369 $_SESSION['signup']['pword2'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword2'])));
370 $_SESSION['signup']['Q1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q1']))));
371 $_SESSION['signup']['Q2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q2']))));
372 $_SESSION['signup']['Q3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q3']))));
373 $_SESSION['signup']['Q4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q4']))));
374 $_SESSION['signup']['Q5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q5']))));
375 $_SESSION['signup']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
376 $_SESSION['signup']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
377 $_SESSION['signup']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
378 $_SESSION['signup']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
379 $_SESSION['signup']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
380 $_SESSION['signup']['general'] = intval(array_key_exists('general',$_REQUEST)?$_REQUEST['general']:0);
381 $_SESSION['signup']['country'] = intval(array_key_exists('country',$_REQUEST)?$_REQUEST['country']:0);
382 $_SESSION['signup']['regional'] = intval(array_key_exists('regional',$_REQUEST)?$_REQUEST['regional']:0);
383 $_SESSION['signup']['radius'] = intval(array_key_exists('radius',$_REQUEST)?$_REQUEST['radius']:0);
384 $_SESSION['signup']['cca_agree'] = intval(array_key_exists('cca_agree',$_REQUEST)?$_REQUEST['cca_agree']:0);
385
386
387 if($_SESSION['signup']['Q1'] == $_SESSION['signup']['Q2'] ||
388 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q3'] ||
389 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q4'] ||
390 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q5'] ||
391 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q3'] ||
392 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q4'] ||
393 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q5'] ||
394 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q4'] ||
395 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q5'] ||
396 $_SESSION['signup']['Q4'] == $_SESSION['signup']['Q5'] ||
397 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q1'] ||
398 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q2'] ||
399 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q3'] ||
400 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q4'] ||
401 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q5'] ||
402 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q3'] ||
403 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q4'] ||
404 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q5'] ||
405 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q4'] ||
406 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q5'] ||
407 $_SESSION['signup']['A4'] == $_SESSION['signup']['Q5'] ||
408 $_SESSION['signup']['A1'] == $_SESSION['signup']['A2'] ||
409 $_SESSION['signup']['A1'] == $_SESSION['signup']['A3'] ||
410 $_SESSION['signup']['A1'] == $_SESSION['signup']['A4'] ||
411 $_SESSION['signup']['A1'] == $_SESSION['signup']['A5'] ||
412 $_SESSION['signup']['A2'] == $_SESSION['signup']['A3'] ||
413 $_SESSION['signup']['A2'] == $_SESSION['signup']['A4'] ||
414 $_SESSION['signup']['A2'] == $_SESSION['signup']['A5'] ||
415 $_SESSION['signup']['A3'] == $_SESSION['signup']['A4'] ||
416 $_SESSION['signup']['A3'] == $_SESSION['signup']['A5'] ||
417 $_SESSION['signup']['A4'] == $_SESSION['signup']['A5'])
418 {
419 $id = 1;
420 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
421 }
422
423 if($_SESSION['signup']['Q1'] == "" || $_SESSION['signup']['Q2'] == "" ||
424 $_SESSION['signup']['Q3'] == "" || $_SESSION['signup']['Q4'] == "" ||
425 $_SESSION['signup']['Q5'] == "")
426 {
427 $id = 1;
428 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>\n";
429 }
430 if($_SESSION['signup']['fname'] == "" || $_SESSION['signup']['lname'] == "")
431 {
432 $id = 1;
433 $_SESSION['_config']['errmsg'] .= _("First and/or last names were blank.")."<br>\n";
434 }
435 if($_SESSION['signup']['year'] < 1900 || $_SESSION['signup']['month'] < 1 || $_SESSION['signup']['month'] > 12 ||
436 $_SESSION['signup']['day'] < 1 || $_SESSION['signup']['day'] > 31 ||
437 !checkdate($_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) ||
438 mktime(0,0,0,$_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) > time() )
439 {
440 $id = 1;
441 $_SESSION['_config']['errmsg'] .= _("Invalid date of birth")."<br>\n";
442 }
443 if($_SESSION['signup']['cca_agree'] == "0")
444 {
445 $id = 1;
446 $_SESSION['_config']['errmsg'] .= _("You have to agree to the CAcert Community agreement.")."<br>\n";
447 }
448 if($_SESSION['signup']['email'] == "")
449 {
450 $id = 1;
451 $_SESSION['_config']['errmsg'] .= _("Email Address was blank")."<br>\n";
452 }
453 if($_SESSION['signup']['pword1'] == "")
454 {
455 $id = 1;
456 $_SESSION['_config']['errmsg'] .= _("Pass Phrases were blank")."<br>\n";
457 }
458 if($_SESSION['signup']['pword1'] != $_SESSION['signup']['pword2'])
459 {
460 $id = 1;
461 $_SESSION['_config']['errmsg'] .= _("Pass Phrases don't match")."<br>\n";
462 }
463
464 $score = checkpw($_SESSION['signup']['pword1'], $_SESSION['signup']['email'], $_SESSION['signup']['fname'], $_SESSION['signup']['mname'], $_SESSION['signup']['lname'], $_SESSION['signup']['suffix']);
465 if($score < 3)
466 {
467 $id = 1;
468 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored $score points out of 6.");
469 }
470
471 if($id == 2)
472 {
473 $query = "select * from `email` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
474 $res1 = mysql_query($query);
475
476 $query = "select * from `users` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
477 $res2 = mysql_query($query);
478 if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0)
479 {
480 $id = 1;
481 $_SESSION['_config']['errmsg'] .= _("This email address is currently valid in the system.")."<br>\n";
482 }
483
484 $query = "select `domain` from `baddomains` where `domain`=RIGHT('".$_SESSION['signup']['email']."', LENGTH(`domain`))";
485 $res = mysql_query($query);
486 if(mysql_num_rows($res) > 0)
487 {
488 $domain = mysql_fetch_assoc($res);
489 $domain = $domain['domain'];
490 $id = 1;
491 $_SESSION['_config']['errmsg'] .= sprintf(_("We don't allow signups from people using email addresses from %s"), $domain)."<br>\n";
492 }
493 }
494
495 if($id == 2)
496 {
497 $checkemail = checkEmail($_SESSION['signup']['email']);
498 if($checkemail != "OK")
499 {
500 $id = 1;
501 if (substr($checkemail, 0, 1) == "4")
502 {
503 $_SESSION['_config']['errmsg'] .= _("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.");
504 } else {
505 $_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid");
506 }
507 $_SESSION['_config']['errmsg'] .= "<br>\n$checkemail<br>\n";
508 }
509 }
510
511 if($id == 2)
512 {
513 $hash = make_hash();
514
515 $query = "insert into `users` set `email`='".$_SESSION['signup']['email']."',
516 `password`=sha1('".$_SESSION['signup']['pword1']."'),
517 `fname`='".$_SESSION['signup']['fname']."',
518 `mname`='".$_SESSION['signup']['mname']."',
519 `lname`='".$_SESSION['signup']['lname']."',
520 `suffix`='".$_SESSION['signup']['suffix']."',
521 `dob`='".$_SESSION['signup']['year']."-".$_SESSION['signup']['month']."-".$_SESSION['signup']['day']."',
522 `Q1`='".$_SESSION['signup']['Q1']."',
523 `Q2`='".$_SESSION['signup']['Q2']."',
524 `Q3`='".$_SESSION['signup']['Q3']."',
525 `Q4`='".$_SESSION['signup']['Q4']."',
526 `Q5`='".$_SESSION['signup']['Q5']."',
527 `A1`='".$_SESSION['signup']['A1']."',
528 `A2`='".$_SESSION['signup']['A2']."',
529 `A3`='".$_SESSION['signup']['A3']."',
530 `A4`='".$_SESSION['signup']['A4']."',
531 `A5`='".$_SESSION['signup']['A5']."',
532 `created`=NOW(), `uniqueID`=SHA1(CONCAT(NOW(),'$hash'))";
533 mysql_query($query);
534 $memid = mysql_insert_id();
535 $query = "insert into `email` set `email`='".$_SESSION['signup']['email']."',
536 `hash`='$hash',
537 `created`=NOW(),
538 `memid`='$memid'";
539 mysql_query($query);
540 $emailid = mysql_insert_id();
541 $query = "insert into `alerts` set `memid`='$memid',
542 `general`='".$_SESSION['signup']['general']."',
543 `country`='".$_SESSION['signup']['country']."',
544 `regional`='".$_SESSION['signup']['regional']."',
545 `radius`='".$_SESSION['signup']['radius']."'";
546 mysql_query($query);
547
548 $body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
549 $body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n";
550 $body .= _("Best regards")."\n"._("CAcert.org Support!");
551
552 sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
553 foreach($_SESSION['signup'] as $key => $val)
554 $_SESSION['signup'][$key] = "";
555 unset($_SESSION['signup']);
556 }
557 }
558
559 if($oldid == 11 && $process != "")
560 {
561 $who = stripslashes($_REQUEST['who']);
562 $email = stripslashes($_REQUEST['email']);
563 $subject = stripslashes($_REQUEST['subject']);
564 $message = stripslashes($_REQUEST['message']);
565 $secrethash = $_REQUEST['secrethash2'];
566
567 //check for spam via honeypot
568 if(!isset($_REQUEST['robotest']) || !empty($_REQUEST['robotest'])){
569 echo _("Form could not be sent.");
570 showfooter();
571 exit;
572 }
573
574 if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "")
575 {
576 $id = $oldid;
577 $process = "";
578 $_SESSION['_config']['errmsg'] = _("This seems like you have cookies or Javascript disabled, cannot continue.");
579 $oldid = 0;
580
581 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
582 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
583 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
584 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
585 echo _("This seems like you have cookies or Javascript disabled, cannot continue.");
586 die;
587 }
588 if(strstr($subject, "botmetka") || strstr($subject, "servermetka") || strstr($who,"\n") || strstr($email,"\n") || strstr($subject,"\n") )
589 {
590 $id = $oldid;
591 $process = "";
592 $_SESSION['_config']['errmsg'] = _("This seems like potential spam, cannot continue.");
593 $oldid = 0;
594
595 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
596 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
597 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
598 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
599 echo _("This seems like potential spam, cannot continue.");
600 die;
601 }
602
603
604 if(trim($who) == "" || trim($email) == "" || trim($subject) == "" || trim($message) == "")
605 {
606 $id = $oldid;
607 $process = "";
608 $_SESSION['_config']['errmsg'] = _("All fields are mandatory.")."<br>\n";
609 $oldid = 0;
610 }
611 }
612
613 if($oldid == 11 && $process != "")
614 {
615 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
616 if (isset($process[0])){
617 sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
618 showheader(_("Welcome to CAcert.org"));
619 echo _("Your message has been sent to the general support list.");
620 showfooter();
621 exit;
622 }
623 if (isset($process[1])){
624 sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
625 showheader(_("Welcome to CAcert.org"));
626 echo _("Your message has been sent.");
627 showfooter();
628 exit;
629 }
630 }
631
632 if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)
633 $_SESSION['signup']['year'] = "19XX";
634
635 if ($id == 12)
636 {
637 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
638 $newUrl = $protocol . '://wiki.cacert.org/FAQ/AboutUs';
639 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
640 }
641
642 if ($id == 19)
643 {
644 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
645 $newUrl = $protocol . '://wiki.cacert.org/FAQ/Privileges';
646 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
647 }
648
649 if ($id == 8)
650 {
651 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
652 $newUrl = $protocol . '://wiki.cacert.org/Board';
653 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
654 }
655
656 showheader(_("Welcome to CAcert.org"));
657 includeit($id);
658 showfooter();
659 ?>