bug 1192: change call of index/52.php
[cacert-devel.git] / www / index.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */
18
19 require_once('../includes/lib/l10n.php');
20
21
22 $id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
23 $oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
24 $process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
25
26 if($id == 2)
27 $id = 0;
28
29 $_SESSION['_config']['errmsg'] = "";
30 $ccatest='';
31
32 if($id == 17 || $id == 20)
33 {
34 include_once("../pages/index/$id.php");
35 exit;
36 }
37
38 loadem("index");
39
40 $_SESSION['_config']['hostname'] = $_SERVER['HTTP_HOST'];
41
42 if(($oldid == 6 || $id == 6) && intval($_SESSION['lostpw']['user']['id']) < 1)
43 {
44 $oldid = 0;
45 $id = 5;
46 }
47
48 if($oldid == 6 && $process != "")
49 {
50 $body = "";
51 $answers = 0;
52 $qs = array();
53 $id = $oldid;
54 $oldid = 0;
55 if(array_key_exists('Q1',$_REQUEST) && $_REQUEST['Q1'])
56 {
57 $_SESSION['lostpw']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
58
59 if(stripslashes(strtolower($_SESSION['lostpw']['A1'])) == strtolower($_SESSION['lostpw']['user']['A1']))
60 $answers++;
61 $body .= "System: ".$_SESSION['lostpw']['user']['A1']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A1']))."\n";
62 }
63 if(array_key_exists('Q2',$_REQUEST) && $_REQUEST['Q2'])
64 {
65 $_SESSION['lostpw']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
66
67 if(stripslashes(strtolower($_SESSION['lostpw']['A2'])) == strtolower($_SESSION['lostpw']['user']['A2']))
68 $answers++;
69 $body .= "System: ".$_SESSION['lostpw']['user']['A2']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A2']))."\n";
70 }
71 if(array_key_exists('Q3',$_REQUEST) && $_REQUEST['Q3'])
72 {
73 $_SESSION['lostpw']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
74
75 if(stripslashes(strtolower($_SESSION['lostpw']['A3'])) == strtolower($_SESSION['lostpw']['user']['A3']))
76 $answers++;
77 $body .= "System: ".$_SESSION['lostpw']['user']['A3']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A3']))."\n";
78 }
79 if(array_key_exists('Q4',$_REQUEST) && $_REQUEST['Q4'])
80 {
81 $_SESSION['lostpw']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
82
83 if(stripslashes(strtolower($_SESSION['lostpw']['A4'])) == strtolower($_SESSION['lostpw']['user']['A4']))
84 $answers++;
85 $body .= "System: ".$_SESSION['lostpw']['user']['A4']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A4']))."\n";
86 }
87 if(array_key_exists('Q5',$_REQUEST) && $_REQUEST['Q5'])
88 {
89 $_SESSION['lostpw']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
90
91 if(stripslashes(strtolower($_SESSION['lostpw']['A5'])) == strtolower($_SESSION['lostpw']['user']['A5']))
92 $answers++;
93 $body .= "System: ".$_SESSION['lostpw']['user']['A5']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A5']))."\n";
94 }
95
96 $_SESSION['lostpw']['pw1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass1']))));
97 $_SESSION['lostpw']['pw2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass2']))));
98
99 if($answers < $_SESSION['lostpw']['total'] || $answers < 3)
100 {
101 $body = "Someone has just attempted to update the pass phrase on the following account:\n".
102 "Username(ID): ".$_SESSION['lostpw']['user']['email']."(".$_SESSION['lostpw']['user']['id'].")\n".
103 "email: ".$_SESSION['lostpw']['user']['email']."\n".
104 "IP/Hostname: ".$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:"")."\n".
105 "---------------------------------------------------------------------\n".$body.
106 "---------------------------------------------------------------------\n";
107 sendmail("support@cacert.org", "[CAcert.org] Requested Pass Phrase Change", $body,
108 $_SESSION['lostpw']['user']['email'], "", "", $_SESSION['lostpw']['user']['fname']);
109 $_SESSION['_config']['errmsg'] = _("You failed to get all answers correct or you didn't configure enough lost password questions for your account. System admins have been notified.");
110 } else if($_SESSION['lostpw']['pw1'] != $_SESSION['lostpw']['pw2'] || $_SESSION['lostpw']['pw1'] == "") {
111 $_SESSION['_config']['errmsg'] = _("New Pass Phrases specified don't match or were blank.");
112 } else if(strlen($_SESSION['lostpw']['pw1']) < 6) {
113 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted was too short. It must be at least 6 characters.");
114 } else {
115 $score = checkpw($_SESSION['lostpw']['pw1'], $_SESSION['lostpw']['user']['email'], $_SESSION['lostpw']['user']['fname'],
116 $_SESSION['lostpw']['user']['mname'], $_SESSION['lostpw']['user']['lname'], $_SESSION['lostpw']['user']['suffix']);
117 if($score < 3)
118 {
119 $_SESSION['_config']['errmsg'] = sprintf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
120 } else {
121 $query = "update `users` set `password`=sha1('".$_SESSION['lostpw']['pw1']."')
122 where `id`='".intval($_SESSION['lostpw']['user']['id'])."'";
123 mysql_query($query) || die(mysql_error());
124 showheader(_("Welcome to CAcert.org"));
125 echo _("Your Pass Phrase has been changed now. You can now login with your new password.");
126 showfooter();
127 exit;
128 }
129 }
130 }
131
132 if($oldid == 5 && $process != "")
133 {
134 $email = $_SESSION['lostpw']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
135 $_SESSION['lostpw']['day'] = intval($_REQUEST['day']);
136 $_SESSION['lostpw']['month'] = intval($_REQUEST['month']);
137 $_SESSION['lostpw']['year'] = intval($_REQUEST['year']);
138 $dob = $_SESSION['lostpw']['year']."-".$_SESSION['lostpw']['month']."-".$_SESSION['lostpw']['day'];
139 $query = "select * from `users` where `email`='$email' and `dob`='$dob'";
140 $res = mysql_query($query);
141 if(mysql_num_rows($res) <= 0)
142 {
143 $id = $oldid;
144 $oldid = 0;
145 $_SESSION['_config']['errmsg'] = _("Unable to match your details with any user accounts on file");
146 } else {
147 $id = 6;
148 $_SESSION['lostpw']['user'] = mysql_fetch_assoc($res);
149 }
150 }
151
152 if($id == 4 && $_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'])
153 {
154 include_once("../includes/lib/general.php");
155 $user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'],
156 $_SERVER['SSL_CLIENT_I_DN_CN']);
157
158 if($user_id >= 0)
159 {
160 $_SESSION['profile'] = mysql_fetch_assoc(mysql_query(
161 "select * from `users` where
162 `id`='$user_id' and `deleted`=0 and `locked`=0"));
163
164 if($_SESSION['profile']['id'] != 0)
165 {
166 $cca=get_last_user_agreement($user_id);
167 if (!isset($cca['active'])){
168 $id=52;
169 $ccatest=1;
170 }else{
171 $_SESSION['profile']['loggedin'] = 1;
172 header('location: https://'.$_SERVER['HTTP_HOST'].'/account.php');
173 exit;
174 }
175 } else {
176 $_SESSION['profile']['loggedin'] = 0;
177 }
178 }
179 }
180
181
182 if($id == 4 && array_key_exists('profile',$_SESSION) && array_key_exists('loggedin',array($_SESSION['profile'])) && $_SESSION['profile']['loggedin'] == 1)
183 {
184 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
185 exit;
186 }
187
188 function getOTP64($otp)
189 {
190 $lookupChar = "123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*!-?%:";
191
192 for($i = 0; $i < 6; $i++)
193 $val[$i] = hexdec(substr($otp, $i * 2, 2));
194
195 $tmp1 = $val[0] >> 2;
196 $OTP = $lookupChar[$tmp1 & 63];
197 $tmp2 = $val[0] - ($tmp1 << 2);
198 $tmp1 = $val[1] >> 4;
199 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
200 $tmp2 = $val[1] - ($tmp1 << 4);
201 $tmp1 = $val[2] >> 6;
202 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
203 $tmp2 = $val[2] - ($tmp1 << 6);
204 $OTP .= $lookupChar[$tmp2 & 63];
205 $tmp1 = $val[3] >> 2;
206 $OTP .= $lookupChar[$tmp1 & 63];
207 $tmp2 = $val[3] - ($tmp1 << 2);
208 $tmp1 = $val[4] >> 4;
209 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
210 $tmp2 = $val[4] - ($tmp1 << 4);
211 $tmp1 = $val[5] >> 6;
212 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
213 $tmp2 = $val[5] - ($tmp1 << 6);
214 $OTP .= $lookupChar[$tmp2 & 63];
215
216 return $OTP;
217 }
218
219 function getOTP32($otp)
220 {
221 $lookupChar = "0123456789abcdefghkmnoprstuvwxyz";
222
223 for($i = 0; $i < 7; $i++)
224 $val[$i] = hexdec(substr($otp, $i * 2, 2));
225
226 $tmp1 = $val[0] >> 3;
227 $OTP = $lookupChar[$tmp1 & 31];
228 $tmp2 = $val[0] - ($tmp1 << 3);
229 $tmp1 = $val[1] >> 6;
230 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
231 $tmp2 = ($val[1] - ($tmp1 << 6)) >> 1;
232 $OTP .= $lookupChar[$tmp2 & 31];
233 $tmp2 = $val[1] - (($val[1] >> 1) << 1);
234 $tmp1 = $val[2] >> 4;
235 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
236 $tmp2 = $val[2] - ($tmp1 << 4);
237 $tmp1 = $val[3] >> 7;
238 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
239 $tmp2 = ($val[3] - ($tmp1 << 7)) >> 2;
240 $OTP .= $lookupChar[$tmp2 & 31];
241 $tmp2 = $val[3] - (($val[3] - ($tmp1 << 7)) >> 2) << 2;
242 $tmp1 = $val[4] >> 5;
243 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
244 $tmp2 = $val[4] - ($tmp1 << 5);
245 $OTP .= $lookupChar[$tmp2 & 31];
246 $tmp1 = $val[5] >> 3;
247 $OTP .= $lookupChar[$tmp1 & 31];
248 $tmp2 = $val[5] - ($tmp1 << 3);
249 $tmp1 = $val[6] >> 6;
250 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
251
252 return $OTP;
253 }
254
255 if($oldid == 4)
256 {
257 $oldid = 0;
258 $id = 4;
259
260 $_SESSION['_config']['errmsg'] = "";
261
262 $email = mysql_escape_string(stripslashes(strip_tags(trim($_REQUEST['email']))));
263 $pword = mysql_escape_string(stripslashes(trim($_REQUEST['pword'])));
264 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
265 `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
266 $res = mysql_query($query);
267 if(mysql_num_rows($res) <= 0)
268 {
269 $otpquery = "select * from `users` where `email`='$email' and `otphash`!='' and `verified`=1 and `deleted`=0 and `locked`=0";
270 $otpres = mysql_query($otpquery);
271 if(mysql_num_rows($otpres) > 0)
272 {
273 $otp = mysql_fetch_assoc($otpres);
274 $otphash = $otp['otphash'];
275 $otppin = $otp['otppin'];
276 if(strlen($pword) == 6)
277 {
278 $matchperiod = 18;
279 $time = round(gmdate("U") / 10);
280 } else {
281 $matchperiod = 3;
282 $time = round(gmdate("U") / 60);
283 }
284
285 $query = "delete from `otphashes` where UNIX_TIMESTAMP(`when`) <= UNIX_TIMESTAMP(NOW()) - 600";
286 mysql_query($query);
287
288 $query = "select * from `otphashes` where `username`='$email' and `otp`='$pword'";
289 if(mysql_num_rows(mysql_query($query)) <= 0)
290 {
291 $query = "insert into `otphashes` set `when`=NOW(), `username`='$email', `otp`='$pword'";
292 mysql_query($query);
293 for($i = $time - $matchperiod; $i <= $time + $matchperiod * 2; $i++)
294 {
295 if($otppin > 0)
296 $tmpmd5 = md5("$i$otphash$otppin");
297 else
298 $tmpmd5 = md5("$i$otphash");
299
300 if(strlen($pword) == 6)
301 $md5 = substr(md5("$i$otphash"), 0, 6);
302 else if(strlen($pword) == 8)
303 $md5 = getOTP64(md5("$i$otphash"));
304 else
305 $md5 = getOTP32(md5("$i$otphash"));
306
307 if($pword == $md5)
308 $res = mysql_query($otpquery);
309 }
310 }
311 }
312 }
313 if(mysql_num_rows($res) > 0)
314 {
315 $_SESSION['profile'] = "";
316 unset($_SESSION['profile']);
317 $_SESSION['profile'] = mysql_fetch_assoc($res);
318 $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".$_SESSION['profile']['id']."'";
319 mysql_query($query);
320
321 if($_SESSION['profile']['language'] == "")
322 {
323 $query = "update `users` set `language`='".L10n::get_translation()."'
324 where `id`='".$_SESSION['profile']['id']."'";
325 mysql_query($query);
326 } else {
327 L10n::set_translation($_SESSION['profile']['language']);
328 L10n::init_gettext();
329 }
330 $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
331 $res = mysql_query($query);
332 $row = mysql_fetch_assoc($res);
333 $_SESSION['profile']['points'] = $row['total'];
334 $_SESSION['profile']['loggedin'] = 1;
335 if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" ||
336 $_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" ||
337 $_SESSION['profile']['Q5'] == "")
338 {
339 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
340 $_SESSION['_config']['oldlocation'] = "account.php?id=13";
341 }
342 if (checkpwlight($pword) < 3)
343 $_SESSION['_config']['oldlocation'] = "account.php?id=14&force=1";
344 if($_SESSION['_config']['oldlocation'] != "")
345 header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
346 else
347 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
348 exit;
349 }
350
351 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
352 `password`=password('$pword')) and `verified`=0 and `deleted`=0";
353 $res = mysql_query($query);
354 if(mysql_num_rows($res) <= 0)
355 {
356 $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
357 } else {
358 $_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");
359 }
360
361 $cca=get_last_user_agreement($user_id);
362 if (!isset($cca['active'])){
363 $id=52;
364 $ccatest=1;
365 }
366 }
367
368 // check for CCA acceptance prior to login
369 if ($id == 52 && $ccatest=='')
370 {
371 $agree = ""; if(array_key_exists('agree',$_REQUEST)) $agree=$_REQUEST['agree'];
372 if (!$agree) {
373 $_SESSION['profile']['loggedin'] = 0;
374 }else{
375 include_once("../includes/notary.inc.php");
376 write_user_agreement($memid, "CCA", "Login acception", "", 1);
377 $_SESSION['profile']['loggedin'] = 1;
378 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
379 exit;
380 }
381 }
382
383
384 if($process && $oldid == 1)
385 {
386 $id = 2;
387 $oldid = 0;
388
389 $_SESSION['_config']['errmsg'] = "";
390
391 $_SESSION['signup']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
392 $_SESSION['signup']['fname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['fname']))));
393 $_SESSION['signup']['mname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['mname']))));
394 $_SESSION['signup']['lname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['lname']))));
395 $_SESSION['signup']['suffix'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['suffix']))));
396 $_SESSION['signup']['day'] = intval($_REQUEST['day']);
397 $_SESSION['signup']['month'] = intval($_REQUEST['month']);
398 $_SESSION['signup']['year'] = intval($_REQUEST['year']);
399 $_SESSION['signup']['pword1'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword1'])));
400 $_SESSION['signup']['pword2'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword2'])));
401 $_SESSION['signup']['Q1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q1']))));
402 $_SESSION['signup']['Q2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q2']))));
403 $_SESSION['signup']['Q3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q3']))));
404 $_SESSION['signup']['Q4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q4']))));
405 $_SESSION['signup']['Q5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q5']))));
406 $_SESSION['signup']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
407 $_SESSION['signup']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
408 $_SESSION['signup']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
409 $_SESSION['signup']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
410 $_SESSION['signup']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
411 $_SESSION['signup']['general'] = intval(array_key_exists('general',$_REQUEST)?$_REQUEST['general']:0);
412 $_SESSION['signup']['country'] = intval(array_key_exists('country',$_REQUEST)?$_REQUEST['country']:0);
413 $_SESSION['signup']['regional'] = intval(array_key_exists('regional',$_REQUEST)?$_REQUEST['regional']:0);
414 $_SESSION['signup']['radius'] = intval(array_key_exists('radius',$_REQUEST)?$_REQUEST['radius']:0);
415 $_SESSION['signup']['cca_agree'] = intval(array_key_exists('cca_agree',$_REQUEST)?$_REQUEST['cca_agree']:0);
416
417
418 if($_SESSION['signup']['Q1'] == $_SESSION['signup']['Q2'] ||
419 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q3'] ||
420 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q4'] ||
421 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q5'] ||
422 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q3'] ||
423 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q4'] ||
424 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q5'] ||
425 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q4'] ||
426 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q5'] ||
427 $_SESSION['signup']['Q4'] == $_SESSION['signup']['Q5'] ||
428 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q1'] ||
429 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q2'] ||
430 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q3'] ||
431 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q4'] ||
432 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q5'] ||
433 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q3'] ||
434 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q4'] ||
435 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q5'] ||
436 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q4'] ||
437 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q5'] ||
438 $_SESSION['signup']['A4'] == $_SESSION['signup']['Q5'] ||
439 $_SESSION['signup']['A1'] == $_SESSION['signup']['A2'] ||
440 $_SESSION['signup']['A1'] == $_SESSION['signup']['A3'] ||
441 $_SESSION['signup']['A1'] == $_SESSION['signup']['A4'] ||
442 $_SESSION['signup']['A1'] == $_SESSION['signup']['A5'] ||
443 $_SESSION['signup']['A2'] == $_SESSION['signup']['A3'] ||
444 $_SESSION['signup']['A2'] == $_SESSION['signup']['A4'] ||
445 $_SESSION['signup']['A2'] == $_SESSION['signup']['A5'] ||
446 $_SESSION['signup']['A3'] == $_SESSION['signup']['A4'] ||
447 $_SESSION['signup']['A3'] == $_SESSION['signup']['A5'] ||
448 $_SESSION['signup']['A4'] == $_SESSION['signup']['A5'])
449 {
450 $id = 1;
451 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
452 }
453
454 if($_SESSION['signup']['Q1'] == "" || $_SESSION['signup']['Q2'] == "" ||
455 $_SESSION['signup']['Q3'] == "" || $_SESSION['signup']['Q4'] == "" ||
456 $_SESSION['signup']['Q5'] == "")
457 {
458 $id = 1;
459 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>\n";
460 }
461 if($_SESSION['signup']['fname'] == "" || $_SESSION['signup']['lname'] == "")
462 {
463 $id = 1;
464 $_SESSION['_config']['errmsg'] .= _("First and/or last names were blank.")."<br>\n";
465 }
466 if($_SESSION['signup']['year'] < 1900 || $_SESSION['signup']['month'] < 1 || $_SESSION['signup']['month'] > 12 ||
467 $_SESSION['signup']['day'] < 1 || $_SESSION['signup']['day'] > 31 ||
468 !checkdate($_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) ||
469 mktime(0,0,0,$_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) > time() )
470 {
471 $id = 1;
472 $_SESSION['_config']['errmsg'] .= _("Invalid date of birth")."<br>\n";
473 }
474 if($_SESSION['signup']['cca_agree'] == "0")
475 {
476 $id = 1;
477 $_SESSION['_config']['errmsg'] .= _("You have to agree to the CAcert Community agreement.")."<br>\n";
478 }
479 if($_SESSION['signup']['email'] == "")
480 {
481 $id = 1;
482 $_SESSION['_config']['errmsg'] .= _("Email Address was blank")."<br>\n";
483 }
484 if($_SESSION['signup']['pword1'] == "")
485 {
486 $id = 1;
487 $_SESSION['_config']['errmsg'] .= _("Pass Phrases were blank")."<br>\n";
488 }
489 if($_SESSION['signup']['pword1'] != $_SESSION['signup']['pword2'])
490 {
491 $id = 1;
492 $_SESSION['_config']['errmsg'] .= _("Pass Phrases don't match")."<br>\n";
493 }
494
495 $score = checkpw($_SESSION['signup']['pword1'], $_SESSION['signup']['email'], $_SESSION['signup']['fname'], $_SESSION['signup']['mname'], $_SESSION['signup']['lname'], $_SESSION['signup']['suffix']);
496 if($score < 3)
497 {
498 $id = 1;
499 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored $score points out of 6.");
500 }
501
502 if($id == 2)
503 {
504 $query = "select * from `email` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
505 $res1 = mysql_query($query);
506
507 $query = "select * from `users` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
508 $res2 = mysql_query($query);
509 if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0)
510 {
511 $id = 1;
512 $_SESSION['_config']['errmsg'] .= _("This email address is currently valid in the system.")."<br>\n";
513 }
514
515 $query = "select `domain` from `baddomains` where `domain`=RIGHT('".$_SESSION['signup']['email']."', LENGTH(`domain`))";
516 $res = mysql_query($query);
517 if(mysql_num_rows($res) > 0)
518 {
519 $domain = mysql_fetch_assoc($res);
520 $domain = $domain['domain'];
521 $id = 1;
522 $_SESSION['_config']['errmsg'] .= sprintf(_("We don't allow signups from people using email addresses from %s"), $domain)."<br>\n";
523 }
524 }
525
526 if($id == 2)
527 {
528 $checkemail = checkEmail($_SESSION['signup']['email']);
529 if($checkemail != "OK")
530 {
531 $id = 1;
532 if (substr($checkemail, 0, 1) == "4")
533 {
534 $_SESSION['_config']['errmsg'] .= _("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.");
535 } else {
536 $_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid");
537 }
538 $_SESSION['_config']['errmsg'] .= "<br>\n$checkemail<br>\n";
539 }
540 }
541
542 if($id == 2)
543 {
544 $hash = make_hash();
545
546 $query = "insert into `users` set `email`='".$_SESSION['signup']['email']."',
547 `password`=sha1('".$_SESSION['signup']['pword1']."'),
548 `fname`='".$_SESSION['signup']['fname']."',
549 `mname`='".$_SESSION['signup']['mname']."',
550 `lname`='".$_SESSION['signup']['lname']."',
551 `suffix`='".$_SESSION['signup']['suffix']."',
552 `dob`='".$_SESSION['signup']['year']."-".$_SESSION['signup']['month']."-".$_SESSION['signup']['day']."',
553 `Q1`='".$_SESSION['signup']['Q1']."',
554 `Q2`='".$_SESSION['signup']['Q2']."',
555 `Q3`='".$_SESSION['signup']['Q3']."',
556 `Q4`='".$_SESSION['signup']['Q4']."',
557 `Q5`='".$_SESSION['signup']['Q5']."',
558 `A1`='".$_SESSION['signup']['A1']."',
559 `A2`='".$_SESSION['signup']['A2']."',
560 `A3`='".$_SESSION['signup']['A3']."',
561 `A4`='".$_SESSION['signup']['A4']."',
562 `A5`='".$_SESSION['signup']['A5']."',
563 `created`=NOW(), `uniqueID`=SHA1(CONCAT(NOW(),'$hash'))";
564 mysql_query($query);
565 $memid = mysql_insert_id();
566 $query = "insert into `email` set `email`='".$_SESSION['signup']['email']."',
567 `hash`='$hash',
568 `created`=NOW(),
569 `memid`='$memid'";
570 mysql_query($query);
571 $emailid = mysql_insert_id();
572 $query = "insert into `alerts` set `memid`='$memid',
573 `general`='".$_SESSION['signup']['general']."',
574 `country`='".$_SESSION['signup']['country']."',
575 `regional`='".$_SESSION['signup']['regional']."',
576 `radius`='".$_SESSION['signup']['radius']."'";
577 mysql_query($query);
578 include_once("../includes/notary.inc.php");
579 write_user_agreement($memid, "CCA", "account creation", "", 1);
580
581 $body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
582 $body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n";
583 $body .= _("Best regards")."\n"._("CAcert.org Support!");
584
585 sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
586 foreach($_SESSION['signup'] as $key => $val)
587 $_SESSION['signup'][$key] = "";
588 unset($_SESSION['signup']);
589 }
590 }
591
592 if($oldid == 11 && $process != "")
593 {
594 $who = stripslashes($_REQUEST['who']);
595 $email = stripslashes($_REQUEST['email']);
596 $subject = stripslashes($_REQUEST['subject']);
597 $message = stripslashes($_REQUEST['message']);
598 $secrethash = $_REQUEST['secrethash2'];
599
600 //check for spam via honeypot
601 if(!isset($_REQUEST['robotest']) || !empty($_REQUEST['robotest'])){
602 echo _("Form could not be sent.");
603 showfooter();
604 exit;
605 }
606
607 if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "")
608 {
609 $id = $oldid;
610 $process = "";
611 $_SESSION['_config']['errmsg'] = _("This seems like you have cookies or Javascript disabled, cannot continue.");
612 $oldid = 0;
613
614 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
615 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
616 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
617 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
618 echo _("This seems like you have cookies or Javascript disabled, cannot continue.");
619 die;
620 }
621 if(strstr($subject, "botmetka") || strstr($subject, "servermetka") || strstr($who,"\n") || strstr($email,"\n") || strstr($subject,"\n") )
622 {
623 $id = $oldid;
624 $process = "";
625 $_SESSION['_config']['errmsg'] = _("This seems like potential spam, cannot continue.");
626 $oldid = 0;
627
628 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
629 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
630 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
631 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
632 echo _("This seems like potential spam, cannot continue.");
633 die;
634 }
635
636
637 if(trim($who) == "" || trim($email) == "" || trim($subject) == "" || trim($message) == "")
638 {
639 $id = $oldid;
640 $process = "";
641 $_SESSION['_config']['errmsg'] = _("All fields are mandatory.")."<br>\n";
642 $oldid = 0;
643 }
644 }
645
646 if($oldid == 11 && $process != "")
647 {
648 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
649 if (isset($process[0])){
650 sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
651 showheader(_("Welcome to CAcert.org"));
652 echo _("Your message has been sent to the general support list.");
653 showfooter();
654 exit;
655 }
656 if (isset($process[1])){
657 sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
658 showheader(_("Welcome to CAcert.org"));
659 echo _("Your message has been sent.");
660 showfooter();
661 exit;
662 }
663 }
664
665 if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)
666 $_SESSION['signup']['year'] = "19XX";
667
668 if ($id == 12)
669 {
670 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
671 $newUrl = $protocol . '://wiki.cacert.org/FAQ/AboutUs';
672 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
673 }
674
675 if ($id == 19)
676 {
677 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
678 $newUrl = $protocol . '://wiki.cacert.org/FAQ/Privileges';
679 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
680 }
681
682 if ($id == 8)
683 {
684 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
685 $newUrl = $protocol . '://wiki.cacert.org/Board';
686 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
687 }
688
689
690 showheader(_("Welcome to CAcert.org"));
691 includeit($id);
692 showfooter();
693 ?>