bug 1192: added reference to notary.inc.php
[cacert-devel.git] / www / index.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */
18
19 require_once('../includes/lib/l10n.php');
20 require_once('../includes/notary.inc.php');
21
22 $id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
23 $oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
24 $process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
25
26 if($id == 2)
27 $id = 0;
28
29 $_SESSION['_config']['errmsg'] = "";
30 $ccatest=FALSE;
31
32 if($id == 17 || $id == 20)
33 {
34 include_once("../pages/index/$id.php");
35 exit;
36 }
37
38 loadem("index");
39
40 $_SESSION['_config']['hostname'] = $_SERVER['HTTP_HOST'];
41
42 if(($oldid == 6 || $id == 6) && intval($_SESSION['lostpw']['user']['id']) < 1)
43 {
44 $oldid = 0;
45 $id = 5;
46 }
47
48 if($oldid == 6 && $process != "")
49 {
50 $body = "";
51 $answers = 0;
52 $qs = array();
53 $id = $oldid;
54 $oldid = 0;
55 if(array_key_exists('Q1',$_REQUEST) && $_REQUEST['Q1'])
56 {
57 $_SESSION['lostpw']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
58
59 if(stripslashes(strtolower($_SESSION['lostpw']['A1'])) == strtolower($_SESSION['lostpw']['user']['A1']))
60 $answers++;
61 $body .= "System: ".$_SESSION['lostpw']['user']['A1']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A1']))."\n";
62 }
63 if(array_key_exists('Q2',$_REQUEST) && $_REQUEST['Q2'])
64 {
65 $_SESSION['lostpw']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
66
67 if(stripslashes(strtolower($_SESSION['lostpw']['A2'])) == strtolower($_SESSION['lostpw']['user']['A2']))
68 $answers++;
69 $body .= "System: ".$_SESSION['lostpw']['user']['A2']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A2']))."\n";
70 }
71 if(array_key_exists('Q3',$_REQUEST) && $_REQUEST['Q3'])
72 {
73 $_SESSION['lostpw']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
74
75 if(stripslashes(strtolower($_SESSION['lostpw']['A3'])) == strtolower($_SESSION['lostpw']['user']['A3']))
76 $answers++;
77 $body .= "System: ".$_SESSION['lostpw']['user']['A3']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A3']))."\n";
78 }
79 if(array_key_exists('Q4',$_REQUEST) && $_REQUEST['Q4'])
80 {
81 $_SESSION['lostpw']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
82
83 if(stripslashes(strtolower($_SESSION['lostpw']['A4'])) == strtolower($_SESSION['lostpw']['user']['A4']))
84 $answers++;
85 $body .= "System: ".$_SESSION['lostpw']['user']['A4']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A4']))."\n";
86 }
87 if(array_key_exists('Q5',$_REQUEST) && $_REQUEST['Q5'])
88 {
89 $_SESSION['lostpw']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
90
91 if(stripslashes(strtolower($_SESSION['lostpw']['A5'])) == strtolower($_SESSION['lostpw']['user']['A5']))
92 $answers++;
93 $body .= "System: ".$_SESSION['lostpw']['user']['A5']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A5']))."\n";
94 }
95
96 $_SESSION['lostpw']['pw1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass1']))));
97 $_SESSION['lostpw']['pw2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass2']))));
98
99 if($answers < $_SESSION['lostpw']['total'] || $answers < 3)
100 {
101 $body = "Someone has just attempted to update the pass phrase on the following account:\n".
102 "Username(ID): ".$_SESSION['lostpw']['user']['email']."(".$_SESSION['lostpw']['user']['id'].")\n".
103 "email: ".$_SESSION['lostpw']['user']['email']."\n".
104 "IP/Hostname: ".$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:"")."\n".
105 "---------------------------------------------------------------------\n".$body.
106 "---------------------------------------------------------------------\n";
107 sendmail("support@cacert.org", "[CAcert.org] Requested Pass Phrase Change", $body,
108 $_SESSION['lostpw']['user']['email'], "", "", $_SESSION['lostpw']['user']['fname']);
109 $_SESSION['_config']['errmsg'] = _("You failed to get all answers correct or you didn't configure enough lost password questions for your account. System admins have been notified.");
110 } else if($_SESSION['lostpw']['pw1'] != $_SESSION['lostpw']['pw2'] || $_SESSION['lostpw']['pw1'] == "") {
111 $_SESSION['_config']['errmsg'] = _("New Pass Phrases specified don't match or were blank.");
112 } else if(strlen($_SESSION['lostpw']['pw1']) < 6) {
113 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted was too short. It must be at least 6 characters.");
114 } else {
115 $score = checkpw($_SESSION['lostpw']['pw1'], $_SESSION['lostpw']['user']['email'], $_SESSION['lostpw']['user']['fname'],
116 $_SESSION['lostpw']['user']['mname'], $_SESSION['lostpw']['user']['lname'], $_SESSION['lostpw']['user']['suffix']);
117 if($score < 3)
118 {
119 $_SESSION['_config']['errmsg'] = sprintf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
120 } else {
121 $query = "update `users` set `password`=sha1('".$_SESSION['lostpw']['pw1']."')
122 where `id`='".intval($_SESSION['lostpw']['user']['id'])."'";
123 mysql_query($query) || die(mysql_error());
124 showheader(_("Welcome to CAcert.org"));
125 echo _("Your Pass Phrase has been changed now. You can now login with your new password.");
126 showfooter();
127 exit;
128 }
129 }
130 }
131
132 if($oldid == 5 && $process != "")
133 {
134 $email = $_SESSION['lostpw']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
135 $_SESSION['lostpw']['day'] = intval($_REQUEST['day']);
136 $_SESSION['lostpw']['month'] = intval($_REQUEST['month']);
137 $_SESSION['lostpw']['year'] = intval($_REQUEST['year']);
138 $dob = $_SESSION['lostpw']['year']."-".$_SESSION['lostpw']['month']."-".$_SESSION['lostpw']['day'];
139 $query = "select * from `users` where `email`='$email' and `dob`='$dob'";
140 $res = mysql_query($query);
141 if(mysql_num_rows($res) <= 0)
142 {
143 $id = $oldid;
144 $oldid = 0;
145 $_SESSION['_config']['errmsg'] = _("Unable to match your details with any user accounts on file");
146 } else {
147 $id = 6;
148 $_SESSION['lostpw']['user'] = mysql_fetch_assoc($res);
149 }
150 }
151
152 if($id == 4 && $_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'])
153 {
154 include_once("../includes/lib/general.php");
155 $user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'],
156 $_SERVER['SSL_CLIENT_I_DN_CN']);
157
158 if($user_id >= 0)
159 {
160 $_SESSION['profile'] = mysql_fetch_assoc(mysql_query(
161 "select * from `users` where
162 `id`='$user_id' and `deleted`=0 and `locked`=0"));
163
164 if($_SESSION['profile']['id'] != 0)
165 {
166 $cca=get_last_user_agreement($user_id);
167 if (!isset($cca['active'])){
168 $id=52;
169 $ccatest=TRUE;
170 }else{
171 $_SESSION['profile']['loggedin'] = 1;
172 header('location: https://'.$_SERVER['HTTP_HOST'].'/account.php');
173 exit;
174 }
175 } else {
176 $_SESSION['profile']['loggedin'] = 0;
177 }
178 }
179 }
180
181
182 if($id == 4 && array_key_exists('profile',$_SESSION) && array_key_exists('loggedin',array($_SESSION['profile'])) && $_SESSION['profile']['loggedin'] == 1)
183 {
184 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
185 exit;
186 }
187
188 function getOTP64($otp)
189 {
190 $lookupChar = "123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*!-?%:";
191
192 for($i = 0; $i < 6; $i++)
193 $val[$i] = hexdec(substr($otp, $i * 2, 2));
194
195 $tmp1 = $val[0] >> 2;
196 $OTP = $lookupChar[$tmp1 & 63];
197 $tmp2 = $val[0] - ($tmp1 << 2);
198 $tmp1 = $val[1] >> 4;
199 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
200 $tmp2 = $val[1] - ($tmp1 << 4);
201 $tmp1 = $val[2] >> 6;
202 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
203 $tmp2 = $val[2] - ($tmp1 << 6);
204 $OTP .= $lookupChar[$tmp2 & 63];
205 $tmp1 = $val[3] >> 2;
206 $OTP .= $lookupChar[$tmp1 & 63];
207 $tmp2 = $val[3] - ($tmp1 << 2);
208 $tmp1 = $val[4] >> 4;
209 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
210 $tmp2 = $val[4] - ($tmp1 << 4);
211 $tmp1 = $val[5] >> 6;
212 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
213 $tmp2 = $val[5] - ($tmp1 << 6);
214 $OTP .= $lookupChar[$tmp2 & 63];
215
216 return $OTP;
217 }
218
219 function getOTP32($otp)
220 {
221 $lookupChar = "0123456789abcdefghkmnoprstuvwxyz";
222
223 for($i = 0; $i < 7; $i++)
224 $val[$i] = hexdec(substr($otp, $i * 2, 2));
225
226 $tmp1 = $val[0] >> 3;
227 $OTP = $lookupChar[$tmp1 & 31];
228 $tmp2 = $val[0] - ($tmp1 << 3);
229 $tmp1 = $val[1] >> 6;
230 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
231 $tmp2 = ($val[1] - ($tmp1 << 6)) >> 1;
232 $OTP .= $lookupChar[$tmp2 & 31];
233 $tmp2 = $val[1] - (($val[1] >> 1) << 1);
234 $tmp1 = $val[2] >> 4;
235 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
236 $tmp2 = $val[2] - ($tmp1 << 4);
237 $tmp1 = $val[3] >> 7;
238 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
239 $tmp2 = ($val[3] - ($tmp1 << 7)) >> 2;
240 $OTP .= $lookupChar[$tmp2 & 31];
241 $tmp2 = $val[3] - (($val[3] - ($tmp1 << 7)) >> 2) << 2;
242 $tmp1 = $val[4] >> 5;
243 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
244 $tmp2 = $val[4] - ($tmp1 << 5);
245 $OTP .= $lookupChar[$tmp2 & 31];
246 $tmp1 = $val[5] >> 3;
247 $OTP .= $lookupChar[$tmp1 & 31];
248 $tmp2 = $val[5] - ($tmp1 << 3);
249 $tmp1 = $val[6] >> 6;
250 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
251
252 return $OTP;
253 }
254
255 if($oldid == 4)
256 {
257 $oldid = 0;
258 $id = 4;
259
260 $_SESSION['_config']['errmsg'] = "";
261
262 $email = mysql_escape_string(stripslashes(strip_tags(trim($_REQUEST['email']))));
263 $pword = mysql_escape_string(stripslashes(trim($_REQUEST['pword'])));
264 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
265 `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
266 $res = mysql_query($query);
267 if(mysql_num_rows($res) <= 0)
268 {
269 $otpquery = "select * from `users` where `email`='$email' and `otphash`!='' and `verified`=1 and `deleted`=0 and `locked`=0";
270 $otpres = mysql_query($otpquery);
271 if(mysql_num_rows($otpres) > 0)
272 {
273 $otp = mysql_fetch_assoc($otpres);
274 $otphash = $otp['otphash'];
275 $otppin = $otp['otppin'];
276 if(strlen($pword) == 6)
277 {
278 $matchperiod = 18;
279 $time = round(gmdate("U") / 10);
280 } else {
281 $matchperiod = 3;
282 $time = round(gmdate("U") / 60);
283 }
284
285 $query = "delete from `otphashes` where UNIX_TIMESTAMP(`when`) <= UNIX_TIMESTAMP(NOW()) - 600";
286 mysql_query($query);
287
288 $query = "select * from `otphashes` where `username`='$email' and `otp`='$pword'";
289 if(mysql_num_rows(mysql_query($query)) <= 0)
290 {
291 $query = "insert into `otphashes` set `when`=NOW(), `username`='$email', `otp`='$pword'";
292 mysql_query($query);
293 for($i = $time - $matchperiod; $i <= $time + $matchperiod * 2; $i++)
294 {
295 if($otppin > 0)
296 $tmpmd5 = md5("$i$otphash$otppin");
297 else
298 $tmpmd5 = md5("$i$otphash");
299
300 if(strlen($pword) == 6)
301 $md5 = substr(md5("$i$otphash"), 0, 6);
302 else if(strlen($pword) == 8)
303 $md5 = getOTP64(md5("$i$otphash"));
304 else
305 $md5 = getOTP32(md5("$i$otphash"));
306
307 if($pword == $md5)
308 $res = mysql_query($otpquery);
309 }
310 }
311 }
312 }
313 if(mysql_num_rows($res) > 0)
314 {
315 $_SESSION['profile'] = "";
316 unset($_SESSION['profile']);
317 $_SESSION['profile'] = mysql_fetch_assoc($res);
318 $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".$_SESSION['profile']['id']."'";
319 mysql_query($query);
320
321 if($_SESSION['profile']['language'] == "")
322 {
323 $query = "update `users` set `language`='".L10n::get_translation()."'
324 where `id`='".$_SESSION['profile']['id']."'";
325 mysql_query($query);
326 } else {
327 L10n::set_translation($_SESSION['profile']['language']);
328 L10n::init_gettext();
329 }
330 $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
331 $res = mysql_query($query);
332 $row = mysql_fetch_assoc($res);
333 $_SESSION['profile']['points'] = $row['total'];
334 $_SESSION['profile']['loggedin'] = 1;
335 if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" ||
336 $_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" ||
337 $_SESSION['profile']['Q5'] == "")
338 {
339 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
340 $_SESSION['_config']['oldlocation'] = "account.php?id=13";
341 }
342 if (checkpwlight($pword) < 3)
343 $_SESSION['_config']['oldlocation'] = "account.php?id=14&force=1";
344 if($_SESSION['_config']['oldlocation'] != "")
345 header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
346 else
347 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
348 exit;
349 }
350
351 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
352 `password`=password('$pword')) and `verified`=0 and `deleted`=0";
353 $res = mysql_query($query);
354 if(mysql_num_rows($res) <= 0)
355 {
356 $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
357 } else {
358 $_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");
359 }
360
361 $cca=get_last_user_agreement($user_id);
362 if (!isset($cca['active'])){
363 $id=52;
364 $ccatest=TRUE;
365 }
366 }
367
368 // check for CCA acceptance prior to login
369 if ($id == 52 && $ccatest==FALSE)
370 {
371 $agree = ""; if(array_key_exists('agree',$_REQUEST)) $agree=$_REQUEST['agree'];
372 if (!$agree) {
373 $_SESSION['profile']['loggedin'] = 0;
374 }else{
375 write_user_agreement($memid, "CCA", "Login acception", "", 1);
376 $_SESSION['profile']['loggedin'] = 1;
377 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
378 exit;
379 }
380 }
381
382
383 if($process && $oldid == 1)
384 {
385 $id = 2;
386 $oldid = 0;
387
388 $_SESSION['_config']['errmsg'] = "";
389
390 $_SESSION['signup']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
391 $_SESSION['signup']['fname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['fname']))));
392 $_SESSION['signup']['mname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['mname']))));
393 $_SESSION['signup']['lname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['lname']))));
394 $_SESSION['signup']['suffix'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['suffix']))));
395 $_SESSION['signup']['day'] = intval($_REQUEST['day']);
396 $_SESSION['signup']['month'] = intval($_REQUEST['month']);
397 $_SESSION['signup']['year'] = intval($_REQUEST['year']);
398 $_SESSION['signup']['pword1'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword1'])));
399 $_SESSION['signup']['pword2'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword2'])));
400 $_SESSION['signup']['Q1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q1']))));
401 $_SESSION['signup']['Q2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q2']))));
402 $_SESSION['signup']['Q3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q3']))));
403 $_SESSION['signup']['Q4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q4']))));
404 $_SESSION['signup']['Q5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q5']))));
405 $_SESSION['signup']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
406 $_SESSION['signup']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
407 $_SESSION['signup']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
408 $_SESSION['signup']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
409 $_SESSION['signup']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
410 $_SESSION['signup']['general'] = intval(array_key_exists('general',$_REQUEST)?$_REQUEST['general']:0);
411 $_SESSION['signup']['country'] = intval(array_key_exists('country',$_REQUEST)?$_REQUEST['country']:0);
412 $_SESSION['signup']['regional'] = intval(array_key_exists('regional',$_REQUEST)?$_REQUEST['regional']:0);
413 $_SESSION['signup']['radius'] = intval(array_key_exists('radius',$_REQUEST)?$_REQUEST['radius']:0);
414 $_SESSION['signup']['cca_agree'] = intval(array_key_exists('cca_agree',$_REQUEST)?$_REQUEST['cca_agree']:0);
415
416
417 if($_SESSION['signup']['Q1'] == $_SESSION['signup']['Q2'] ||
418 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q3'] ||
419 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q4'] ||
420 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q5'] ||
421 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q3'] ||
422 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q4'] ||
423 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q5'] ||
424 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q4'] ||
425 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q5'] ||
426 $_SESSION['signup']['Q4'] == $_SESSION['signup']['Q5'] ||
427 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q1'] ||
428 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q2'] ||
429 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q3'] ||
430 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q4'] ||
431 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q5'] ||
432 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q3'] ||
433 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q4'] ||
434 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q5'] ||
435 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q4'] ||
436 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q5'] ||
437 $_SESSION['signup']['A4'] == $_SESSION['signup']['Q5'] ||
438 $_SESSION['signup']['A1'] == $_SESSION['signup']['A2'] ||
439 $_SESSION['signup']['A1'] == $_SESSION['signup']['A3'] ||
440 $_SESSION['signup']['A1'] == $_SESSION['signup']['A4'] ||
441 $_SESSION['signup']['A1'] == $_SESSION['signup']['A5'] ||
442 $_SESSION['signup']['A2'] == $_SESSION['signup']['A3'] ||
443 $_SESSION['signup']['A2'] == $_SESSION['signup']['A4'] ||
444 $_SESSION['signup']['A2'] == $_SESSION['signup']['A5'] ||
445 $_SESSION['signup']['A3'] == $_SESSION['signup']['A4'] ||
446 $_SESSION['signup']['A3'] == $_SESSION['signup']['A5'] ||
447 $_SESSION['signup']['A4'] == $_SESSION['signup']['A5'])
448 {
449 $id = 1;
450 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
451 }
452
453 if($_SESSION['signup']['Q1'] == "" || $_SESSION['signup']['Q2'] == "" ||
454 $_SESSION['signup']['Q3'] == "" || $_SESSION['signup']['Q4'] == "" ||
455 $_SESSION['signup']['Q5'] == "")
456 {
457 $id = 1;
458 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>\n";
459 }
460 if($_SESSION['signup']['fname'] == "" || $_SESSION['signup']['lname'] == "")
461 {
462 $id = 1;
463 $_SESSION['_config']['errmsg'] .= _("First and/or last names were blank.")."<br>\n";
464 }
465 if($_SESSION['signup']['year'] < 1900 || $_SESSION['signup']['month'] < 1 || $_SESSION['signup']['month'] > 12 ||
466 $_SESSION['signup']['day'] < 1 || $_SESSION['signup']['day'] > 31 ||
467 !checkdate($_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) ||
468 mktime(0,0,0,$_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) > time() )
469 {
470 $id = 1;
471 $_SESSION['_config']['errmsg'] .= _("Invalid date of birth")."<br>\n";
472 }
473 if($_SESSION['signup']['cca_agree'] == "0")
474 {
475 $id = 1;
476 $_SESSION['_config']['errmsg'] .= _("You have to agree to the CAcert Community agreement.")."<br>\n";
477 }
478 if($_SESSION['signup']['email'] == "")
479 {
480 $id = 1;
481 $_SESSION['_config']['errmsg'] .= _("Email Address was blank")."<br>\n";
482 }
483 if($_SESSION['signup']['pword1'] == "")
484 {
485 $id = 1;
486 $_SESSION['_config']['errmsg'] .= _("Pass Phrases were blank")."<br>\n";
487 }
488 if($_SESSION['signup']['pword1'] != $_SESSION['signup']['pword2'])
489 {
490 $id = 1;
491 $_SESSION['_config']['errmsg'] .= _("Pass Phrases don't match")."<br>\n";
492 }
493
494 $score = checkpw($_SESSION['signup']['pword1'], $_SESSION['signup']['email'], $_SESSION['signup']['fname'], $_SESSION['signup']['mname'], $_SESSION['signup']['lname'], $_SESSION['signup']['suffix']);
495 if($score < 3)
496 {
497 $id = 1;
498 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored $score points out of 6.");
499 }
500
501 if($id == 2)
502 {
503 $query = "select * from `email` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
504 $res1 = mysql_query($query);
505
506 $query = "select * from `users` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
507 $res2 = mysql_query($query);
508 if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0)
509 {
510 $id = 1;
511 $_SESSION['_config']['errmsg'] .= _("This email address is currently valid in the system.")."<br>\n";
512 }
513
514 $query = "select `domain` from `baddomains` where `domain`=RIGHT('".$_SESSION['signup']['email']."', LENGTH(`domain`))";
515 $res = mysql_query($query);
516 if(mysql_num_rows($res) > 0)
517 {
518 $domain = mysql_fetch_assoc($res);
519 $domain = $domain['domain'];
520 $id = 1;
521 $_SESSION['_config']['errmsg'] .= sprintf(_("We don't allow signups from people using email addresses from %s"), $domain)."<br>\n";
522 }
523 }
524
525 if($id == 2)
526 {
527 $checkemail = checkEmail($_SESSION['signup']['email']);
528 if($checkemail != "OK")
529 {
530 $id = 1;
531 if (substr($checkemail, 0, 1) == "4")
532 {
533 $_SESSION['_config']['errmsg'] .= _("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.");
534 } else {
535 $_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid");
536 }
537 $_SESSION['_config']['errmsg'] .= "<br>\n$checkemail<br>\n";
538 }
539 }
540
541 if($id == 2)
542 {
543 $hash = make_hash();
544
545 $query = "insert into `users` set `email`='".$_SESSION['signup']['email']."',
546 `password`=sha1('".$_SESSION['signup']['pword1']."'),
547 `fname`='".$_SESSION['signup']['fname']."',
548 `mname`='".$_SESSION['signup']['mname']."',
549 `lname`='".$_SESSION['signup']['lname']."',
550 `suffix`='".$_SESSION['signup']['suffix']."',
551 `dob`='".$_SESSION['signup']['year']."-".$_SESSION['signup']['month']."-".$_SESSION['signup']['day']."',
552 `Q1`='".$_SESSION['signup']['Q1']."',
553 `Q2`='".$_SESSION['signup']['Q2']."',
554 `Q3`='".$_SESSION['signup']['Q3']."',
555 `Q4`='".$_SESSION['signup']['Q4']."',
556 `Q5`='".$_SESSION['signup']['Q5']."',
557 `A1`='".$_SESSION['signup']['A1']."',
558 `A2`='".$_SESSION['signup']['A2']."',
559 `A3`='".$_SESSION['signup']['A3']."',
560 `A4`='".$_SESSION['signup']['A4']."',
561 `A5`='".$_SESSION['signup']['A5']."',
562 `created`=NOW(), `uniqueID`=SHA1(CONCAT(NOW(),'$hash'))";
563 mysql_query($query);
564 $memid = mysql_insert_id();
565 $query = "insert into `email` set `email`='".$_SESSION['signup']['email']."',
566 `hash`='$hash',
567 `created`=NOW(),
568 `memid`='$memid'";
569 mysql_query($query);
570 $emailid = mysql_insert_id();
571 $query = "insert into `alerts` set `memid`='$memid',
572 `general`='".$_SESSION['signup']['general']."',
573 `country`='".$_SESSION['signup']['country']."',
574 `regional`='".$_SESSION['signup']['regional']."',
575 `radius`='".$_SESSION['signup']['radius']."'";
576 mysql_query($query);
577 write_user_agreement($memid, "CCA", "account creation", "", 1);
578
579 $body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
580 $body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n";
581 $body .= _("Best regards")."\n"._("CAcert.org Support!");
582
583 sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
584 foreach($_SESSION['signup'] as $key => $val)
585 $_SESSION['signup'][$key] = "";
586 unset($_SESSION['signup']);
587 }
588 }
589
590 if($oldid == 11 && $process != "")
591 {
592 $who = stripslashes($_REQUEST['who']);
593 $email = stripslashes($_REQUEST['email']);
594 $subject = stripslashes($_REQUEST['subject']);
595 $message = stripslashes($_REQUEST['message']);
596 $secrethash = $_REQUEST['secrethash2'];
597
598 //check for spam via honeypot
599 if(!isset($_REQUEST['robotest']) || !empty($_REQUEST['robotest'])){
600 echo _("Form could not be sent.");
601 showfooter();
602 exit;
603 }
604
605 if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "")
606 {
607 $id = $oldid;
608 $process = "";
609 $_SESSION['_config']['errmsg'] = _("This seems like you have cookies or Javascript disabled, cannot continue.");
610 $oldid = 0;
611
612 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
613 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
614 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
615 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
616 echo _("This seems like you have cookies or Javascript disabled, cannot continue.");
617 die;
618 }
619 if(strstr($subject, "botmetka") || strstr($subject, "servermetka") || strstr($who,"\n") || strstr($email,"\n") || strstr($subject,"\n") )
620 {
621 $id = $oldid;
622 $process = "";
623 $_SESSION['_config']['errmsg'] = _("This seems like potential spam, cannot continue.");
624 $oldid = 0;
625
626 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
627 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
628 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
629 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
630 echo _("This seems like potential spam, cannot continue.");
631 die;
632 }
633
634
635 if(trim($who) == "" || trim($email) == "" || trim($subject) == "" || trim($message) == "")
636 {
637 $id = $oldid;
638 $process = "";
639 $_SESSION['_config']['errmsg'] = _("All fields are mandatory.")."<br>\n";
640 $oldid = 0;
641 }
642 }
643
644 if($oldid == 11 && $process != "")
645 {
646 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
647 if (isset($process[0])){
648 sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
649 showheader(_("Welcome to CAcert.org"));
650 echo _("Your message has been sent to the general support list.");
651 showfooter();
652 exit;
653 }
654 if (isset($process[1])){
655 sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
656 showheader(_("Welcome to CAcert.org"));
657 echo _("Your message has been sent.");
658 showfooter();
659 exit;
660 }
661 }
662
663 if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)
664 $_SESSION['signup']['year'] = "19XX";
665
666 if ($id == 12)
667 {
668 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
669 $newUrl = $protocol . '://wiki.cacert.org/FAQ/AboutUs';
670 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
671 }
672
673 if ($id == 19)
674 {
675 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
676 $newUrl = $protocol . '://wiki.cacert.org/FAQ/Privileges';
677 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
678 }
679
680 if ($id == 8)
681 {
682 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
683 $newUrl = $protocol . '://wiki.cacert.org/Board';
684 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
685 }
686
687
688 showheader(_("Welcome to CAcert.org"));
689 includeit($id);
690 showfooter();
691 ?>