bug 1192: added echo for test
[cacert-devel.git] / www / index.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */
18
19 require_once('../includes/lib/l10n.php');
20 require_once('../includes/notary.inc.php');
21
22 $id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
23 $oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
24 $process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
25
26 if($id == 2)
27 $id = 0;
28
29 $_SESSION['_config']['errmsg'] = "";
30 $ccatest=FALSE;
31
32 if($id == 17 || $id == 20)
33 {
34 include_once("../pages/index/$id.php");
35 exit;
36 }
37
38 loadem("index");
39
40 $_SESSION['_config']['hostname'] = $_SERVER['HTTP_HOST'];
41
42 if(($oldid == 6 || $id == 6) && intval($_SESSION['lostpw']['user']['id']) < 1)
43 {
44 $oldid = 0;
45 $id = 5;
46 }
47
48 if($oldid == 6 && $process != "")
49 {
50 $body = "";
51 $answers = 0;
52 $qs = array();
53 $id = $oldid;
54 $oldid = 0;
55 if(array_key_exists('Q1',$_REQUEST) && $_REQUEST['Q1'])
56 {
57 $_SESSION['lostpw']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
58
59 if(stripslashes(strtolower($_SESSION['lostpw']['A1'])) == strtolower($_SESSION['lostpw']['user']['A1']))
60 $answers++;
61 $body .= "System: ".$_SESSION['lostpw']['user']['A1']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A1']))."\n";
62 }
63 if(array_key_exists('Q2',$_REQUEST) && $_REQUEST['Q2'])
64 {
65 $_SESSION['lostpw']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
66
67 if(stripslashes(strtolower($_SESSION['lostpw']['A2'])) == strtolower($_SESSION['lostpw']['user']['A2']))
68 $answers++;
69 $body .= "System: ".$_SESSION['lostpw']['user']['A2']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A2']))."\n";
70 }
71 if(array_key_exists('Q3',$_REQUEST) && $_REQUEST['Q3'])
72 {
73 $_SESSION['lostpw']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
74
75 if(stripslashes(strtolower($_SESSION['lostpw']['A3'])) == strtolower($_SESSION['lostpw']['user']['A3']))
76 $answers++;
77 $body .= "System: ".$_SESSION['lostpw']['user']['A3']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A3']))."\n";
78 }
79 if(array_key_exists('Q4',$_REQUEST) && $_REQUEST['Q4'])
80 {
81 $_SESSION['lostpw']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
82
83 if(stripslashes(strtolower($_SESSION['lostpw']['A4'])) == strtolower($_SESSION['lostpw']['user']['A4']))
84 $answers++;
85 $body .= "System: ".$_SESSION['lostpw']['user']['A4']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A4']))."\n";
86 }
87 if(array_key_exists('Q5',$_REQUEST) && $_REQUEST['Q5'])
88 {
89 $_SESSION['lostpw']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
90
91 if(stripslashes(strtolower($_SESSION['lostpw']['A5'])) == strtolower($_SESSION['lostpw']['user']['A5']))
92 $answers++;
93 $body .= "System: ".$_SESSION['lostpw']['user']['A5']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A5']))."\n";
94 }
95
96 $_SESSION['lostpw']['pw1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass1']))));
97 $_SESSION['lostpw']['pw2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass2']))));
98
99 if($answers < $_SESSION['lostpw']['total'] || $answers < 3)
100 {
101 $body = "Someone has just attempted to update the pass phrase on the following account:\n".
102 "Username(ID): ".$_SESSION['lostpw']['user']['email']."(".$_SESSION['lostpw']['user']['id'].")\n".
103 "email: ".$_SESSION['lostpw']['user']['email']."\n".
104 "IP/Hostname: ".$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:"")."\n".
105 "---------------------------------------------------------------------\n".$body.
106 "---------------------------------------------------------------------\n";
107 sendmail("support@cacert.org", "[CAcert.org] Requested Pass Phrase Change", $body,
108 $_SESSION['lostpw']['user']['email'], "", "", $_SESSION['lostpw']['user']['fname']);
109 $_SESSION['_config']['errmsg'] = _("You failed to get all answers correct or you didn't configure enough lost password questions for your account. System admins have been notified.");
110 } else if($_SESSION['lostpw']['pw1'] != $_SESSION['lostpw']['pw2'] || $_SESSION['lostpw']['pw1'] == "") {
111 $_SESSION['_config']['errmsg'] = _("New Pass Phrases specified don't match or were blank.");
112 } else if(strlen($_SESSION['lostpw']['pw1']) < 6) {
113 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted was too short. It must be at least 6 characters.");
114 } else {
115 $score = checkpw($_SESSION['lostpw']['pw1'], $_SESSION['lostpw']['user']['email'], $_SESSION['lostpw']['user']['fname'],
116 $_SESSION['lostpw']['user']['mname'], $_SESSION['lostpw']['user']['lname'], $_SESSION['lostpw']['user']['suffix']);
117 if($score < 3)
118 {
119 $_SESSION['_config']['errmsg'] = sprintf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
120 } else {
121 $query = "update `users` set `password`=sha1('".$_SESSION['lostpw']['pw1']."')
122 where `id`='".intval($_SESSION['lostpw']['user']['id'])."'";
123 mysql_query($query) || die(mysql_error());
124 showheader(_("Welcome to CAcert.org"));
125 echo _("Your Pass Phrase has been changed now. You can now login with your new password.");
126 showfooter();
127 exit;
128 }
129 }
130 }
131
132 if($oldid == 5 && $process != "")
133 {
134 $email = $_SESSION['lostpw']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
135 $_SESSION['lostpw']['day'] = intval($_REQUEST['day']);
136 $_SESSION['lostpw']['month'] = intval($_REQUEST['month']);
137 $_SESSION['lostpw']['year'] = intval($_REQUEST['year']);
138 $dob = $_SESSION['lostpw']['year']."-".$_SESSION['lostpw']['month']."-".$_SESSION['lostpw']['day'];
139 $query = "select * from `users` where `email`='$email' and `dob`='$dob'";
140 $res = mysql_query($query);
141 if(mysql_num_rows($res) <= 0)
142 {
143 $id = $oldid;
144 $oldid = 0;
145 $_SESSION['_config']['errmsg'] = _("Unable to match your details with any user accounts on file");
146 } else {
147 $id = 6;
148 $_SESSION['lostpw']['user'] = mysql_fetch_assoc($res);
149 }
150 }
151
152 //client login
153 if($id == 4 && $_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'])
154 {
155 include_once("../includes/lib/general.php");
156 $user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'],
157 $_SERVER['SSL_CLIENT_I_DN_CN']);
158
159 if($user_id >= 0)
160 {
161 $_SESSION['profile'] = mysql_fetch_assoc(mysql_query(
162 "select * from `users` where
163 `id`='$user_id' and `deleted`=0 and `locked`=0"));
164
165 if($_SESSION['profile']['id'] != 0)
166 {
167 $cca=get_last_user_agreement($user_id);
168 if (!isset($cca['active'])){
169 $id=52;
170 $ccatest=TRUE;
171 }else{
172 $_SESSION['profile']['loggedin'] = 1;
173 header('location: https://'.$_SERVER['HTTP_HOST'].'/account.php');
174 exit;
175 }
176 } else {
177 $_SESSION['profile']['loggedin'] = 0;
178 }
179 }
180 }
181
182
183 if($id == 4 && array_key_exists('profile',$_SESSION) && array_key_exists('loggedin',array($_SESSION['profile'])) && $_SESSION['profile']['loggedin'] == 1)
184 {
185 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
186 exit;
187 }
188
189 function getOTP64($otp)
190 {
191 $lookupChar = "123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*!-?%:";
192
193 for($i = 0; $i < 6; $i++)
194 $val[$i] = hexdec(substr($otp, $i * 2, 2));
195
196 $tmp1 = $val[0] >> 2;
197 $OTP = $lookupChar[$tmp1 & 63];
198 $tmp2 = $val[0] - ($tmp1 << 2);
199 $tmp1 = $val[1] >> 4;
200 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
201 $tmp2 = $val[1] - ($tmp1 << 4);
202 $tmp1 = $val[2] >> 6;
203 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
204 $tmp2 = $val[2] - ($tmp1 << 6);
205 $OTP .= $lookupChar[$tmp2 & 63];
206 $tmp1 = $val[3] >> 2;
207 $OTP .= $lookupChar[$tmp1 & 63];
208 $tmp2 = $val[3] - ($tmp1 << 2);
209 $tmp1 = $val[4] >> 4;
210 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
211 $tmp2 = $val[4] - ($tmp1 << 4);
212 $tmp1 = $val[5] >> 6;
213 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
214 $tmp2 = $val[5] - ($tmp1 << 6);
215 $OTP .= $lookupChar[$tmp2 & 63];
216
217 return $OTP;
218 }
219
220 function getOTP32($otp)
221 {
222 $lookupChar = "0123456789abcdefghkmnoprstuvwxyz";
223
224 for($i = 0; $i < 7; $i++)
225 $val[$i] = hexdec(substr($otp, $i * 2, 2));
226
227 $tmp1 = $val[0] >> 3;
228 $OTP = $lookupChar[$tmp1 & 31];
229 $tmp2 = $val[0] - ($tmp1 << 3);
230 $tmp1 = $val[1] >> 6;
231 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
232 $tmp2 = ($val[1] - ($tmp1 << 6)) >> 1;
233 $OTP .= $lookupChar[$tmp2 & 31];
234 $tmp2 = $val[1] - (($val[1] >> 1) << 1);
235 $tmp1 = $val[2] >> 4;
236 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
237 $tmp2 = $val[2] - ($tmp1 << 4);
238 $tmp1 = $val[3] >> 7;
239 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
240 $tmp2 = ($val[3] - ($tmp1 << 7)) >> 2;
241 $OTP .= $lookupChar[$tmp2 & 31];
242 $tmp2 = $val[3] - (($val[3] - ($tmp1 << 7)) >> 2) << 2;
243 $tmp1 = $val[4] >> 5;
244 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
245 $tmp2 = $val[4] - ($tmp1 << 5);
246 $OTP .= $lookupChar[$tmp2 & 31];
247 $tmp1 = $val[5] >> 3;
248 $OTP .= $lookupChar[$tmp1 & 31];
249 $tmp2 = $val[5] - ($tmp1 << 3);
250 $tmp1 = $val[6] >> 6;
251 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
252
253 return $OTP;
254 }
255
256 if($oldid == 4)
257 {
258 $oldid = 0;
259 $id = 4;
260
261 $_SESSION['_config']['errmsg'] = "";
262
263 $email = mysql_escape_string(stripslashes(strip_tags(trim($_REQUEST['email']))));
264 $pword = mysql_escape_string(stripslashes(trim($_REQUEST['pword'])));
265 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
266 `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
267 $res = mysql_query($query);
268 if(mysql_num_rows($res) <= 0)
269 {
270 $otpquery = "select * from `users` where `email`='$email' and `otphash`!='' and `verified`=1 and `deleted`=0 and `locked`=0";
271 $otpres = mysql_query($otpquery);
272 if(mysql_num_rows($otpres) > 0)
273 {
274 $otp = mysql_fetch_assoc($otpres);
275 $otphash = $otp['otphash'];
276 $otppin = $otp['otppin'];
277 if(strlen($pword) == 6)
278 {
279 $matchperiod = 18;
280 $time = round(gmdate("U") / 10);
281 } else {
282 $matchperiod = 3;
283 $time = round(gmdate("U") / 60);
284 }
285
286 $query = "delete from `otphashes` where UNIX_TIMESTAMP(`when`) <= UNIX_TIMESTAMP(NOW()) - 600";
287 mysql_query($query);
288
289 $query = "select * from `otphashes` where `username`='$email' and `otp`='$pword'";
290 if(mysql_num_rows(mysql_query($query)) <= 0)
291 {
292 $query = "insert into `otphashes` set `when`=NOW(), `username`='$email', `otp`='$pword'";
293 mysql_query($query);
294 for($i = $time - $matchperiod; $i <= $time + $matchperiod * 2; $i++)
295 {
296 if($otppin > 0)
297 $tmpmd5 = md5("$i$otphash$otppin");
298 else
299 $tmpmd5 = md5("$i$otphash");
300
301 if(strlen($pword) == 6)
302 $md5 = substr(md5("$i$otphash"), 0, 6);
303 else if(strlen($pword) == 8)
304 $md5 = getOTP64(md5("$i$otphash"));
305 else
306 $md5 = getOTP32(md5("$i$otphash"));
307
308 if($pword == $md5)
309 $res = mysql_query($otpquery);
310 }
311 }
312 }
313 }
314 if(mysql_num_rows($res) > 0)
315 {
316 $_SESSION['profile'] = "";
317 unset($_SESSION['profile']);
318 $_SESSION['profile'] = mysql_fetch_assoc($res);
319 $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".$_SESSION['profile']['id']."'";
320 mysql_query($query);
321
322 if($_SESSION['profile']['language'] == "")
323 {
324 $query = "update `users` set `language`='".L10n::get_translation()."'
325 where `id`='".$_SESSION['profile']['id']."'";
326 mysql_query($query);
327 } else {
328 L10n::set_translation($_SESSION['profile']['language']);
329 L10n::init_gettext();
330 }
331 $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
332 $res = mysql_query($query);
333 $row = mysql_fetch_assoc($res);
334 $_SESSION['profile']['points'] = $row['total'];
335 $_SESSION['profile']['loggedin'] = 1;
336 if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" ||
337 $_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" ||
338 $_SESSION['profile']['Q5'] == "")
339 {
340 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
341 $_SESSION['_config']['oldlocation'] = "account.php?id=13";
342 }
343 if (checkpwlight($pword) < 3)
344 $_SESSION['_config']['oldlocation'] = "account.php?id=14&force=1";
345 if($_SESSION['_config']['oldlocation'] != "")
346 header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
347 else
348 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
349 exit;
350 }
351
352 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
353 `password`=password('$pword')) and `verified`=0 and `deleted`=0";
354 $res = mysql_query($query);
355 if(mysql_num_rows($res) <= 0)
356 {
357 $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
358 } else {
359 $_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");
360 }
361
362 $cca=get_last_user_agreement($user_id);
363 echo '###'.$cca['active'];
364 if (!isset($cca['active'])){
365 $id=52;
366 $ccatest=TRUE;
367 }
368 }
369
370 // check for CCA acceptance prior to login
371 if ($id == 52 && $ccatest==FALSE)
372 {
373 $agree = ""; if(array_key_exists('agree',$_REQUEST)) $agree=$_REQUEST['agree'];
374 if (!$agree) {
375 $_SESSION['profile']['loggedin'] = 0;
376 }else{
377 write_user_agreement($memid, "CCA", "Login acception", "", 1);
378 $_SESSION['profile']['loggedin'] = 1;
379 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
380 exit;
381 }
382 }
383
384
385 if($process && $oldid == 1)
386 {
387 $id = 2;
388 $oldid = 0;
389
390 $_SESSION['_config']['errmsg'] = "";
391
392 $_SESSION['signup']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
393 $_SESSION['signup']['fname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['fname']))));
394 $_SESSION['signup']['mname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['mname']))));
395 $_SESSION['signup']['lname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['lname']))));
396 $_SESSION['signup']['suffix'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['suffix']))));
397 $_SESSION['signup']['day'] = intval($_REQUEST['day']);
398 $_SESSION['signup']['month'] = intval($_REQUEST['month']);
399 $_SESSION['signup']['year'] = intval($_REQUEST['year']);
400 $_SESSION['signup']['pword1'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword1'])));
401 $_SESSION['signup']['pword2'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword2'])));
402 $_SESSION['signup']['Q1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q1']))));
403 $_SESSION['signup']['Q2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q2']))));
404 $_SESSION['signup']['Q3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q3']))));
405 $_SESSION['signup']['Q4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q4']))));
406 $_SESSION['signup']['Q5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q5']))));
407 $_SESSION['signup']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
408 $_SESSION['signup']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
409 $_SESSION['signup']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
410 $_SESSION['signup']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
411 $_SESSION['signup']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
412 $_SESSION['signup']['general'] = intval(array_key_exists('general',$_REQUEST)?$_REQUEST['general']:0);
413 $_SESSION['signup']['country'] = intval(array_key_exists('country',$_REQUEST)?$_REQUEST['country']:0);
414 $_SESSION['signup']['regional'] = intval(array_key_exists('regional',$_REQUEST)?$_REQUEST['regional']:0);
415 $_SESSION['signup']['radius'] = intval(array_key_exists('radius',$_REQUEST)?$_REQUEST['radius']:0);
416 $_SESSION['signup']['cca_agree'] = intval(array_key_exists('cca_agree',$_REQUEST)?$_REQUEST['cca_agree']:0);
417
418
419 if($_SESSION['signup']['Q1'] == $_SESSION['signup']['Q2'] ||
420 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q3'] ||
421 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q4'] ||
422 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q5'] ||
423 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q3'] ||
424 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q4'] ||
425 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q5'] ||
426 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q4'] ||
427 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q5'] ||
428 $_SESSION['signup']['Q4'] == $_SESSION['signup']['Q5'] ||
429 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q1'] ||
430 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q2'] ||
431 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q3'] ||
432 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q4'] ||
433 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q5'] ||
434 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q3'] ||
435 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q4'] ||
436 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q5'] ||
437 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q4'] ||
438 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q5'] ||
439 $_SESSION['signup']['A4'] == $_SESSION['signup']['Q5'] ||
440 $_SESSION['signup']['A1'] == $_SESSION['signup']['A2'] ||
441 $_SESSION['signup']['A1'] == $_SESSION['signup']['A3'] ||
442 $_SESSION['signup']['A1'] == $_SESSION['signup']['A4'] ||
443 $_SESSION['signup']['A1'] == $_SESSION['signup']['A5'] ||
444 $_SESSION['signup']['A2'] == $_SESSION['signup']['A3'] ||
445 $_SESSION['signup']['A2'] == $_SESSION['signup']['A4'] ||
446 $_SESSION['signup']['A2'] == $_SESSION['signup']['A5'] ||
447 $_SESSION['signup']['A3'] == $_SESSION['signup']['A4'] ||
448 $_SESSION['signup']['A3'] == $_SESSION['signup']['A5'] ||
449 $_SESSION['signup']['A4'] == $_SESSION['signup']['A5'])
450 {
451 $id = 1;
452 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
453 }
454
455 if($_SESSION['signup']['Q1'] == "" || $_SESSION['signup']['Q2'] == "" ||
456 $_SESSION['signup']['Q3'] == "" || $_SESSION['signup']['Q4'] == "" ||
457 $_SESSION['signup']['Q5'] == "")
458 {
459 $id = 1;
460 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>\n";
461 }
462 if($_SESSION['signup']['fname'] == "" || $_SESSION['signup']['lname'] == "")
463 {
464 $id = 1;
465 $_SESSION['_config']['errmsg'] .= _("First and/or last names were blank.")."<br>\n";
466 }
467 if($_SESSION['signup']['year'] < 1900 || $_SESSION['signup']['month'] < 1 || $_SESSION['signup']['month'] > 12 ||
468 $_SESSION['signup']['day'] < 1 || $_SESSION['signup']['day'] > 31 ||
469 !checkdate($_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) ||
470 mktime(0,0,0,$_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) > time() )
471 {
472 $id = 1;
473 $_SESSION['_config']['errmsg'] .= _("Invalid date of birth")."<br>\n";
474 }
475 if($_SESSION['signup']['cca_agree'] == "0")
476 {
477 $id = 1;
478 $_SESSION['_config']['errmsg'] .= _("You have to agree to the CAcert Community agreement.")."<br>\n";
479 }
480 if($_SESSION['signup']['email'] == "")
481 {
482 $id = 1;
483 $_SESSION['_config']['errmsg'] .= _("Email Address was blank")."<br>\n";
484 }
485 if($_SESSION['signup']['pword1'] == "")
486 {
487 $id = 1;
488 $_SESSION['_config']['errmsg'] .= _("Pass Phrases were blank")."<br>\n";
489 }
490 if($_SESSION['signup']['pword1'] != $_SESSION['signup']['pword2'])
491 {
492 $id = 1;
493 $_SESSION['_config']['errmsg'] .= _("Pass Phrases don't match")."<br>\n";
494 }
495
496 $score = checkpw($_SESSION['signup']['pword1'], $_SESSION['signup']['email'], $_SESSION['signup']['fname'], $_SESSION['signup']['mname'], $_SESSION['signup']['lname'], $_SESSION['signup']['suffix']);
497 if($score < 3)
498 {
499 $id = 1;
500 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored $score points out of 6.");
501 }
502
503 if($id == 2)
504 {
505 $query = "select * from `email` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
506 $res1 = mysql_query($query);
507
508 $query = "select * from `users` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
509 $res2 = mysql_query($query);
510 if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0)
511 {
512 $id = 1;
513 $_SESSION['_config']['errmsg'] .= _("This email address is currently valid in the system.")."<br>\n";
514 }
515
516 $query = "select `domain` from `baddomains` where `domain`=RIGHT('".$_SESSION['signup']['email']."', LENGTH(`domain`))";
517 $res = mysql_query($query);
518 if(mysql_num_rows($res) > 0)
519 {
520 $domain = mysql_fetch_assoc($res);
521 $domain = $domain['domain'];
522 $id = 1;
523 $_SESSION['_config']['errmsg'] .= sprintf(_("We don't allow signups from people using email addresses from %s"), $domain)."<br>\n";
524 }
525 }
526
527 if($id == 2)
528 {
529 $checkemail = checkEmail($_SESSION['signup']['email']);
530 if($checkemail != "OK")
531 {
532 $id = 1;
533 if (substr($checkemail, 0, 1) == "4")
534 {
535 $_SESSION['_config']['errmsg'] .= _("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.");
536 } else {
537 $_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid");
538 }
539 $_SESSION['_config']['errmsg'] .= "<br>\n$checkemail<br>\n";
540 }
541 }
542
543 if($id == 2)
544 {
545 $hash = make_hash();
546
547 $query = "insert into `users` set `email`='".$_SESSION['signup']['email']."',
548 `password`=sha1('".$_SESSION['signup']['pword1']."'),
549 `fname`='".$_SESSION['signup']['fname']."',
550 `mname`='".$_SESSION['signup']['mname']."',
551 `lname`='".$_SESSION['signup']['lname']."',
552 `suffix`='".$_SESSION['signup']['suffix']."',
553 `dob`='".$_SESSION['signup']['year']."-".$_SESSION['signup']['month']."-".$_SESSION['signup']['day']."',
554 `Q1`='".$_SESSION['signup']['Q1']."',
555 `Q2`='".$_SESSION['signup']['Q2']."',
556 `Q3`='".$_SESSION['signup']['Q3']."',
557 `Q4`='".$_SESSION['signup']['Q4']."',
558 `Q5`='".$_SESSION['signup']['Q5']."',
559 `A1`='".$_SESSION['signup']['A1']."',
560 `A2`='".$_SESSION['signup']['A2']."',
561 `A3`='".$_SESSION['signup']['A3']."',
562 `A4`='".$_SESSION['signup']['A4']."',
563 `A5`='".$_SESSION['signup']['A5']."',
564 `created`=NOW(), `uniqueID`=SHA1(CONCAT(NOW(),'$hash'))";
565 mysql_query($query);
566 $memid = mysql_insert_id();
567 $query = "insert into `email` set `email`='".$_SESSION['signup']['email']."',
568 `hash`='$hash',
569 `created`=NOW(),
570 `memid`='$memid'";
571 mysql_query($query);
572 $emailid = mysql_insert_id();
573 $query = "insert into `alerts` set `memid`='$memid',
574 `general`='".$_SESSION['signup']['general']."',
575 `country`='".$_SESSION['signup']['country']."',
576 `regional`='".$_SESSION['signup']['regional']."',
577 `radius`='".$_SESSION['signup']['radius']."'";
578 mysql_query($query);
579 write_user_agreement($memid, "CCA", "account creation", "", 1);
580
581 $body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
582 $body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n";
583 $body .= _("Best regards")."\n"._("CAcert.org Support!");
584
585 sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
586 foreach($_SESSION['signup'] as $key => $val)
587 $_SESSION['signup'][$key] = "";
588 unset($_SESSION['signup']);
589 }
590 }
591
592 if($oldid == 11 && $process != "")
593 {
594 $who = stripslashes($_REQUEST['who']);
595 $email = stripslashes($_REQUEST['email']);
596 $subject = stripslashes($_REQUEST['subject']);
597 $message = stripslashes($_REQUEST['message']);
598 $secrethash = $_REQUEST['secrethash2'];
599
600 //check for spam via honeypot
601 if(!isset($_REQUEST['robotest']) || !empty($_REQUEST['robotest'])){
602 echo _("Form could not be sent.");
603 showfooter();
604 exit;
605 }
606
607 if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "")
608 {
609 $id = $oldid;
610 $process = "";
611 $_SESSION['_config']['errmsg'] = _("This seems like you have cookies or Javascript disabled, cannot continue.");
612 $oldid = 0;
613
614 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
615 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
616 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
617 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
618 echo _("This seems like you have cookies or Javascript disabled, cannot continue.");
619 die;
620 }
621 if(strstr($subject, "botmetka") || strstr($subject, "servermetka") || strstr($who,"\n") || strstr($email,"\n") || strstr($subject,"\n") )
622 {
623 $id = $oldid;
624 $process = "";
625 $_SESSION['_config']['errmsg'] = _("This seems like potential spam, cannot continue.");
626 $oldid = 0;
627
628 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
629 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
630 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
631 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
632 echo _("This seems like potential spam, cannot continue.");
633 die;
634 }
635
636
637 if(trim($who) == "" || trim($email) == "" || trim($subject) == "" || trim($message) == "")
638 {
639 $id = $oldid;
640 $process = "";
641 $_SESSION['_config']['errmsg'] = _("All fields are mandatory.")."<br>\n";
642 $oldid = 0;
643 }
644 }
645
646 if($oldid == 11 && $process != "")
647 {
648 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
649 if (isset($process[0])){
650 sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
651 showheader(_("Welcome to CAcert.org"));
652 echo _("Your message has been sent to the general support list.");
653 showfooter();
654 exit;
655 }
656 if (isset($process[1])){
657 sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
658 showheader(_("Welcome to CAcert.org"));
659 echo _("Your message has been sent.");
660 showfooter();
661 exit;
662 }
663 }
664
665 if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)
666 $_SESSION['signup']['year'] = "19XX";
667
668 if ($id == 12)
669 {
670 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
671 $newUrl = $protocol . '://wiki.cacert.org/FAQ/AboutUs';
672 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
673 }
674
675 if ($id == 19)
676 {
677 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
678 $newUrl = $protocol . '://wiki.cacert.org/FAQ/Privileges';
679 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
680 }
681
682 if ($id == 8)
683 {
684 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
685 $newUrl = $protocol . '://wiki.cacert.org/Board';
686 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
687 }
688
689
690 showheader(_("Welcome to CAcert.org"));
691 includeit($id);
692 showfooter();
693 ?>