bug 1192: changed the client login procedure, took out echo
[cacert-devel.git] / www / index.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */
18
19 require_once('../includes/lib/l10n.php');
20 require_once('../includes/notary.inc.php');
21
22 $id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
23 $oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
24 $process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
25
26 if($id == 2)
27 $id = 0;
28
29 $_SESSION['_config']['errmsg'] = "";
30 $ccatest=0;
31
32 if($id == 17 || $id == 20)
33 {
34 include_once("../pages/index/$id.php");
35 exit;
36 }
37
38 loadem("index");
39
40 $_SESSION['_config']['hostname'] = $_SERVER['HTTP_HOST'];
41
42 if(($oldid == 6 || $id == 6) && intval($_SESSION['lostpw']['user']['id']) < 1)
43 {
44 $oldid = 0;
45 $id = 5;
46 }
47
48 if($oldid == 6 && $process != "")
49 {
50 $body = "";
51 $answers = 0;
52 $qs = array();
53 $id = $oldid;
54 $oldid = 0;
55 if(array_key_exists('Q1',$_REQUEST) && $_REQUEST['Q1'])
56 {
57 $_SESSION['lostpw']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
58
59 if(stripslashes(strtolower($_SESSION['lostpw']['A1'])) == strtolower($_SESSION['lostpw']['user']['A1']))
60 $answers++;
61 $body .= "System: ".$_SESSION['lostpw']['user']['A1']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A1']))."\n";
62 }
63 if(array_key_exists('Q2',$_REQUEST) && $_REQUEST['Q2'])
64 {
65 $_SESSION['lostpw']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
66
67 if(stripslashes(strtolower($_SESSION['lostpw']['A2'])) == strtolower($_SESSION['lostpw']['user']['A2']))
68 $answers++;
69 $body .= "System: ".$_SESSION['lostpw']['user']['A2']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A2']))."\n";
70 }
71 if(array_key_exists('Q3',$_REQUEST) && $_REQUEST['Q3'])
72 {
73 $_SESSION['lostpw']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
74
75 if(stripslashes(strtolower($_SESSION['lostpw']['A3'])) == strtolower($_SESSION['lostpw']['user']['A3']))
76 $answers++;
77 $body .= "System: ".$_SESSION['lostpw']['user']['A3']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A3']))."\n";
78 }
79 if(array_key_exists('Q4',$_REQUEST) && $_REQUEST['Q4'])
80 {
81 $_SESSION['lostpw']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
82
83 if(stripslashes(strtolower($_SESSION['lostpw']['A4'])) == strtolower($_SESSION['lostpw']['user']['A4']))
84 $answers++;
85 $body .= "System: ".$_SESSION['lostpw']['user']['A4']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A4']))."\n";
86 }
87 if(array_key_exists('Q5',$_REQUEST) && $_REQUEST['Q5'])
88 {
89 $_SESSION['lostpw']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
90
91 if(stripslashes(strtolower($_SESSION['lostpw']['A5'])) == strtolower($_SESSION['lostpw']['user']['A5']))
92 $answers++;
93 $body .= "System: ".$_SESSION['lostpw']['user']['A5']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A5']))."\n";
94 }
95
96 $_SESSION['lostpw']['pw1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass1']))));
97 $_SESSION['lostpw']['pw2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass2']))));
98
99 if($answers < $_SESSION['lostpw']['total'] || $answers < 3)
100 {
101 $body = "Someone has just attempted to update the pass phrase on the following account:\n".
102 "Username(ID): ".$_SESSION['lostpw']['user']['email']."(".$_SESSION['lostpw']['user']['id'].")\n".
103 "email: ".$_SESSION['lostpw']['user']['email']."\n".
104 "IP/Hostname: ".$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:"")."\n".
105 "---------------------------------------------------------------------\n".$body.
106 "---------------------------------------------------------------------\n";
107 sendmail("support@cacert.org", "[CAcert.org] Requested Pass Phrase Change", $body,
108 $_SESSION['lostpw']['user']['email'], "", "", $_SESSION['lostpw']['user']['fname']);
109 $_SESSION['_config']['errmsg'] = _("You failed to get all answers correct or you didn't configure enough lost password questions for your account. System admins have been notified.");
110 } else if($_SESSION['lostpw']['pw1'] != $_SESSION['lostpw']['pw2'] || $_SESSION['lostpw']['pw1'] == "") {
111 $_SESSION['_config']['errmsg'] = _("New Pass Phrases specified don't match or were blank.");
112 } else if(strlen($_SESSION['lostpw']['pw1']) < 6) {
113 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted was too short. It must be at least 6 characters.");
114 } else {
115 $score = checkpw($_SESSION['lostpw']['pw1'], $_SESSION['lostpw']['user']['email'], $_SESSION['lostpw']['user']['fname'],
116 $_SESSION['lostpw']['user']['mname'], $_SESSION['lostpw']['user']['lname'], $_SESSION['lostpw']['user']['suffix']);
117 if($score < 3)
118 {
119 $_SESSION['_config']['errmsg'] = sprintf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
120 } else {
121 $query = "update `users` set `password`=sha1('".$_SESSION['lostpw']['pw1']."')
122 where `id`='".intval($_SESSION['lostpw']['user']['id'])."'";
123 mysql_query($query) || die(mysql_error());
124 showheader(_("Welcome to CAcert.org"));
125 echo _("Your Pass Phrase has been changed now. You can now login with your new password.");
126 showfooter();
127 exit;
128 }
129 }
130 }
131
132 if($oldid == 5 && $process != "")
133 {
134 $email = $_SESSION['lostpw']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
135 $_SESSION['lostpw']['day'] = intval($_REQUEST['day']);
136 $_SESSION['lostpw']['month'] = intval($_REQUEST['month']);
137 $_SESSION['lostpw']['year'] = intval($_REQUEST['year']);
138 $dob = $_SESSION['lostpw']['year']."-".$_SESSION['lostpw']['month']."-".$_SESSION['lostpw']['day'];
139 $query = "select * from `users` where `email`='$email' and `dob`='$dob'";
140 $res = mysql_query($query);
141 if(mysql_num_rows($res) <= 0)
142 {
143 $id = $oldid;
144 $oldid = 0;
145 $_SESSION['_config']['errmsg'] = _("Unable to match your details with any user accounts on file");
146 } else {
147 $id = 6;
148 $_SESSION['lostpw']['user'] = mysql_fetch_assoc($res);
149 }
150 }
151
152 //client login
153 if($id == 4 && $_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'])
154 {
155 include_once("../includes/lib/general.php");
156 $user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'],
157 $_SERVER['SSL_CLIENT_I_DN_CN']);
158
159 if($user_id >= 0)
160 {
161 $_SESSION['profile'] = mysql_fetch_assoc(mysql_query(
162 "select * from `users` where
163 `id`='$user_id' and `deleted`=0 and `locked`=0"));
164 $ccatest=get_user_agreement_status($user_id,'CCA');
165
166 if($_SESSION['profile']['id'] != 0)
167 {
168 $ccatest=get_user_agreement_status($_SESSION['profile']['id'],'CCA');
169 if (0==$ccatest) {
170 $id=52;
171 header("location: https://".$_SERVER['HTTP_HOST']."/index.php?id=52");
172 }else{
173 $_SESSION['profile']['loggedin'] = 1;
174 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
175 }
176 exit;
177 } else {
178 $_SESSION['profile']['loggedin'] = 0;
179 }
180 }
181 }
182
183
184 if($id == 4 && array_key_exists('profile',$_SESSION) && array_key_exists('loggedin',array($_SESSION['profile'])) && $_SESSION['profile']['loggedin'] == 1)
185 {
186 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
187 exit;
188 }
189
190 function getOTP64($otp)
191 {
192 $lookupChar = "123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*!-?%:";
193
194 for($i = 0; $i < 6; $i++)
195 $val[$i] = hexdec(substr($otp, $i * 2, 2));
196
197 $tmp1 = $val[0] >> 2;
198 $OTP = $lookupChar[$tmp1 & 63];
199 $tmp2 = $val[0] - ($tmp1 << 2);
200 $tmp1 = $val[1] >> 4;
201 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
202 $tmp2 = $val[1] - ($tmp1 << 4);
203 $tmp1 = $val[2] >> 6;
204 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
205 $tmp2 = $val[2] - ($tmp1 << 6);
206 $OTP .= $lookupChar[$tmp2 & 63];
207 $tmp1 = $val[3] >> 2;
208 $OTP .= $lookupChar[$tmp1 & 63];
209 $tmp2 = $val[3] - ($tmp1 << 2);
210 $tmp1 = $val[4] >> 4;
211 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
212 $tmp2 = $val[4] - ($tmp1 << 4);
213 $tmp1 = $val[5] >> 6;
214 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
215 $tmp2 = $val[5] - ($tmp1 << 6);
216 $OTP .= $lookupChar[$tmp2 & 63];
217
218 return $OTP;
219 }
220
221 function getOTP32($otp)
222 {
223 $lookupChar = "0123456789abcdefghkmnoprstuvwxyz";
224
225 for($i = 0; $i < 7; $i++)
226 $val[$i] = hexdec(substr($otp, $i * 2, 2));
227
228 $tmp1 = $val[0] >> 3;
229 $OTP = $lookupChar[$tmp1 & 31];
230 $tmp2 = $val[0] - ($tmp1 << 3);
231 $tmp1 = $val[1] >> 6;
232 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
233 $tmp2 = ($val[1] - ($tmp1 << 6)) >> 1;
234 $OTP .= $lookupChar[$tmp2 & 31];
235 $tmp2 = $val[1] - (($val[1] >> 1) << 1);
236 $tmp1 = $val[2] >> 4;
237 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
238 $tmp2 = $val[2] - ($tmp1 << 4);
239 $tmp1 = $val[3] >> 7;
240 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
241 $tmp2 = ($val[3] - ($tmp1 << 7)) >> 2;
242 $OTP .= $lookupChar[$tmp2 & 31];
243 $tmp2 = $val[3] - (($val[3] - ($tmp1 << 7)) >> 2) << 2;
244 $tmp1 = $val[4] >> 5;
245 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
246 $tmp2 = $val[4] - ($tmp1 << 5);
247 $OTP .= $lookupChar[$tmp2 & 31];
248 $tmp1 = $val[5] >> 3;
249 $OTP .= $lookupChar[$tmp1 & 31];
250 $tmp2 = $val[5] - ($tmp1 << 3);
251 $tmp1 = $val[6] >> 6;
252 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
253
254 return $OTP;
255 }
256
257 if($oldid == 4)
258 {
259 $oldid = 0;
260 $id = 4;
261
262 $_SESSION['_config']['errmsg'] = "";
263
264 $email = mysql_escape_string(stripslashes(strip_tags(trim($_REQUEST['email']))));
265 $pword = mysql_escape_string(stripslashes(trim($_REQUEST['pword'])));
266 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
267 `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
268 $res = mysql_query($query);
269 if(mysql_num_rows($res) <= 0)
270 {
271 $otpquery = "select * from `users` where `email`='$email' and `otphash`!='' and `verified`=1 and `deleted`=0 and `locked`=0";
272 $otpres = mysql_query($otpquery);
273 if(mysql_num_rows($otpres) > 0)
274 {
275 $otp = mysql_fetch_assoc($otpres);
276 $otphash = $otp['otphash'];
277 $otppin = $otp['otppin'];
278 if(strlen($pword) == 6)
279 {
280 $matchperiod = 18;
281 $time = round(gmdate("U") / 10);
282 } else {
283 $matchperiod = 3;
284 $time = round(gmdate("U") / 60);
285 }
286
287 $query = "delete from `otphashes` where UNIX_TIMESTAMP(`when`) <= UNIX_TIMESTAMP(NOW()) - 600";
288 mysql_query($query);
289
290 $query = "select * from `otphashes` where `username`='$email' and `otp`='$pword'";
291 if(mysql_num_rows(mysql_query($query)) <= 0)
292 {
293 $query = "insert into `otphashes` set `when`=NOW(), `username`='$email', `otp`='$pword'";
294 mysql_query($query);
295 for($i = $time - $matchperiod; $i <= $time + $matchperiod * 2; $i++)
296 {
297 if($otppin > 0)
298 $tmpmd5 = md5("$i$otphash$otppin");
299 else
300 $tmpmd5 = md5("$i$otphash");
301
302 if(strlen($pword) == 6)
303 $md5 = substr(md5("$i$otphash"), 0, 6);
304 else if(strlen($pword) == 8)
305 $md5 = getOTP64(md5("$i$otphash"));
306 else
307 $md5 = getOTP32(md5("$i$otphash"));
308
309 if($pword == $md5)
310 $res = mysql_query($otpquery);
311 }
312 }
313 }
314 }
315 if(mysql_num_rows($res) > 0)
316 {
317 $_SESSION['profile'] = "";
318 unset($_SESSION['profile']);
319 $_SESSION['profile'] = mysql_fetch_assoc($res);
320 $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".$_SESSION['profile']['id']."'";
321 mysql_query($query);
322
323 if($_SESSION['profile']['language'] == "")
324 {
325 $query = "update `users` set `language`='".L10n::get_translation()."'
326 where `id`='".$_SESSION['profile']['id']."'";
327 mysql_query($query);
328 } else {
329 L10n::set_translation($_SESSION['profile']['language']);
330 L10n::init_gettext();
331 }
332 $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
333 $res = mysql_query($query);
334 $row = mysql_fetch_assoc($res);
335 $_SESSION['profile']['points'] = $row['total'];
336 $_SESSION['profile']['loggedin'] = 1;
337 if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" ||
338 $_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" ||
339 $_SESSION['profile']['Q5'] == "")
340 {
341 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
342 $_SESSION['_config']['oldlocation'] = "account.php?id=13";
343 }
344 if (checkpwlight($pword) < 3)
345 $_SESSION['_config']['oldlocation'] = "account.php?id=14&force=1";
346 $ccatest=get_user_agreement_status($_SESSION['profile']['id'],'CCA');
347 if($_SESSION['_config']['oldlocation'] != ""){
348 header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
349 }else{
350 if (0==$ccatest) {
351 $id=52;
352 header("location: https://".$_SERVER['HTTP_HOST']."/index.php?id=52");
353 }else{
354 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
355 }
356 }
357 exit;
358 }
359
360 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
361 `password`=password('$pword')) and `verified`=0 and `deleted`=0";
362 $res = mysql_query($query);
363 if(mysql_num_rows($res) <= 0)
364 {
365 $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
366 } else {
367 $_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");
368 }
369 }
370
371 // check for CCA acceptance prior to login
372 if ($id == 52 )
373 {
374 $ccatest=get_user_agreement_status($_SESSION['profile']['id'],'CCA');
375 $agree = ""; if(array_key_exists('agree',$_REQUEST)) $agree=$_REQUEST['agree'];
376 if (!$agree) {
377 $_SESSION['profile']['loggedin'] = 0;
378 }else{
379 write_user_agreement($_SESSION['profile']['id'], "CCA", "Login acception", "", 1);
380 $_SESSION['profile']['loggedin'] = 1;
381 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
382 exit;
383 }
384 $disagree = ""; if(array_key_exists('disagree',$_REQUEST)) $disagree=$_REQUEST['disagree'];
385 if ($disagree) {
386 $_SESSION['profile']['loggedin'] = 0;
387 header("location: https://".$_SERVER['HTTP_HOST']."/index.php?id=4");
388 exit;
389 }
390 }
391
392
393 if($process && $oldid == 1)
394 {
395 $id = 2;
396 $oldid = 0;
397
398 $_SESSION['_config']['errmsg'] = "";
399
400 $_SESSION['signup']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
401 $_SESSION['signup']['fname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['fname']))));
402 $_SESSION['signup']['mname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['mname']))));
403 $_SESSION['signup']['lname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['lname']))));
404 $_SESSION['signup']['suffix'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['suffix']))));
405 $_SESSION['signup']['day'] = intval($_REQUEST['day']);
406 $_SESSION['signup']['month'] = intval($_REQUEST['month']);
407 $_SESSION['signup']['year'] = intval($_REQUEST['year']);
408 $_SESSION['signup']['pword1'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword1'])));
409 $_SESSION['signup']['pword2'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword2'])));
410 $_SESSION['signup']['Q1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q1']))));
411 $_SESSION['signup']['Q2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q2']))));
412 $_SESSION['signup']['Q3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q3']))));
413 $_SESSION['signup']['Q4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q4']))));
414 $_SESSION['signup']['Q5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q5']))));
415 $_SESSION['signup']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
416 $_SESSION['signup']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
417 $_SESSION['signup']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
418 $_SESSION['signup']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
419 $_SESSION['signup']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
420 $_SESSION['signup']['general'] = intval(array_key_exists('general',$_REQUEST)?$_REQUEST['general']:0);
421 $_SESSION['signup']['country'] = intval(array_key_exists('country',$_REQUEST)?$_REQUEST['country']:0);
422 $_SESSION['signup']['regional'] = intval(array_key_exists('regional',$_REQUEST)?$_REQUEST['regional']:0);
423 $_SESSION['signup']['radius'] = intval(array_key_exists('radius',$_REQUEST)?$_REQUEST['radius']:0);
424 $_SESSION['signup']['cca_agree'] = intval(array_key_exists('cca_agree',$_REQUEST)?$_REQUEST['cca_agree']:0);
425
426
427 if($_SESSION['signup']['Q1'] == $_SESSION['signup']['Q2'] ||
428 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q3'] ||
429 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q4'] ||
430 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q5'] ||
431 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q3'] ||
432 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q4'] ||
433 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q5'] ||
434 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q4'] ||
435 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q5'] ||
436 $_SESSION['signup']['Q4'] == $_SESSION['signup']['Q5'] ||
437 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q1'] ||
438 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q2'] ||
439 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q3'] ||
440 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q4'] ||
441 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q5'] ||
442 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q3'] ||
443 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q4'] ||
444 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q5'] ||
445 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q4'] ||
446 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q5'] ||
447 $_SESSION['signup']['A4'] == $_SESSION['signup']['Q5'] ||
448 $_SESSION['signup']['A1'] == $_SESSION['signup']['A2'] ||
449 $_SESSION['signup']['A1'] == $_SESSION['signup']['A3'] ||
450 $_SESSION['signup']['A1'] == $_SESSION['signup']['A4'] ||
451 $_SESSION['signup']['A1'] == $_SESSION['signup']['A5'] ||
452 $_SESSION['signup']['A2'] == $_SESSION['signup']['A3'] ||
453 $_SESSION['signup']['A2'] == $_SESSION['signup']['A4'] ||
454 $_SESSION['signup']['A2'] == $_SESSION['signup']['A5'] ||
455 $_SESSION['signup']['A3'] == $_SESSION['signup']['A4'] ||
456 $_SESSION['signup']['A3'] == $_SESSION['signup']['A5'] ||
457 $_SESSION['signup']['A4'] == $_SESSION['signup']['A5'])
458 {
459 $id = 1;
460 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
461 }
462
463 if($_SESSION['signup']['Q1'] == "" || $_SESSION['signup']['Q2'] == "" ||
464 $_SESSION['signup']['Q3'] == "" || $_SESSION['signup']['Q4'] == "" ||
465 $_SESSION['signup']['Q5'] == "")
466 {
467 $id = 1;
468 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>\n";
469 }
470 if($_SESSION['signup']['fname'] == "" || $_SESSION['signup']['lname'] == "")
471 {
472 $id = 1;
473 $_SESSION['_config']['errmsg'] .= _("First and/or last names were blank.")."<br>\n";
474 }
475 if($_SESSION['signup']['year'] < 1900 || $_SESSION['signup']['month'] < 1 || $_SESSION['signup']['month'] > 12 ||
476 $_SESSION['signup']['day'] < 1 || $_SESSION['signup']['day'] > 31 ||
477 !checkdate($_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) ||
478 mktime(0,0,0,$_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) > time() )
479 {
480 $id = 1;
481 $_SESSION['_config']['errmsg'] .= _("Invalid date of birth")."<br>\n";
482 }
483 if($_SESSION['signup']['cca_agree'] == "0")
484 {
485 $id = 1;
486 $_SESSION['_config']['errmsg'] .= _("You have to agree to the CAcert Community agreement.")."<br>\n";
487 }
488 if($_SESSION['signup']['email'] == "")
489 {
490 $id = 1;
491 $_SESSION['_config']['errmsg'] .= _("Email Address was blank")."<br>\n";
492 }
493 if($_SESSION['signup']['pword1'] == "")
494 {
495 $id = 1;
496 $_SESSION['_config']['errmsg'] .= _("Pass Phrases were blank")."<br>\n";
497 }
498 if($_SESSION['signup']['pword1'] != $_SESSION['signup']['pword2'])
499 {
500 $id = 1;
501 $_SESSION['_config']['errmsg'] .= _("Pass Phrases don't match")."<br>\n";
502 }
503
504 $score = checkpw($_SESSION['signup']['pword1'], $_SESSION['signup']['email'], $_SESSION['signup']['fname'], $_SESSION['signup']['mname'], $_SESSION['signup']['lname'], $_SESSION['signup']['suffix']);
505 if($score < 3)
506 {
507 $id = 1;
508 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored $score points out of 6.");
509 }
510
511 if($id == 2)
512 {
513 $query = "select * from `email` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
514 $res1 = mysql_query($query);
515
516 $query = "select * from `users` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
517 $res2 = mysql_query($query);
518 if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0)
519 {
520 $id = 1;
521 $_SESSION['_config']['errmsg'] .= _("This email address is currently valid in the system.")."<br>\n";
522 }
523
524 $query = "select `domain` from `baddomains` where `domain`=RIGHT('".$_SESSION['signup']['email']."', LENGTH(`domain`))";
525 $res = mysql_query($query);
526 if(mysql_num_rows($res) > 0)
527 {
528 $domain = mysql_fetch_assoc($res);
529 $domain = $domain['domain'];
530 $id = 1;
531 $_SESSION['_config']['errmsg'] .= sprintf(_("We don't allow signups from people using email addresses from %s"), $domain)."<br>\n";
532 }
533 }
534
535 if($id == 2)
536 {
537 $checkemail = checkEmail($_SESSION['signup']['email']);
538 if($checkemail != "OK")
539 {
540 $id = 1;
541 if (substr($checkemail, 0, 1) == "4")
542 {
543 $_SESSION['_config']['errmsg'] .= _("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.");
544 } else {
545 $_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid");
546 }
547 $_SESSION['_config']['errmsg'] .= "<br>\n$checkemail<br>\n";
548 }
549 }
550
551 if($id == 2)
552 {
553 $hash = make_hash();
554
555 $query = "insert into `users` set `email`='".$_SESSION['signup']['email']."',
556 `password`=sha1('".$_SESSION['signup']['pword1']."'),
557 `fname`='".$_SESSION['signup']['fname']."',
558 `mname`='".$_SESSION['signup']['mname']."',
559 `lname`='".$_SESSION['signup']['lname']."',
560 `suffix`='".$_SESSION['signup']['suffix']."',
561 `dob`='".$_SESSION['signup']['year']."-".$_SESSION['signup']['month']."-".$_SESSION['signup']['day']."',
562 `Q1`='".$_SESSION['signup']['Q1']."',
563 `Q2`='".$_SESSION['signup']['Q2']."',
564 `Q3`='".$_SESSION['signup']['Q3']."',
565 `Q4`='".$_SESSION['signup']['Q4']."',
566 `Q5`='".$_SESSION['signup']['Q5']."',
567 `A1`='".$_SESSION['signup']['A1']."',
568 `A2`='".$_SESSION['signup']['A2']."',
569 `A3`='".$_SESSION['signup']['A3']."',
570 `A4`='".$_SESSION['signup']['A4']."',
571 `A5`='".$_SESSION['signup']['A5']."',
572 `created`=NOW(), `uniqueID`=SHA1(CONCAT(NOW(),'$hash'))";
573 mysql_query($query);
574 $memid = mysql_insert_id();
575 $query = "insert into `email` set `email`='".$_SESSION['signup']['email']."',
576 `hash`='$hash',
577 `created`=NOW(),
578 `memid`='$memid'";
579 mysql_query($query);
580 $emailid = mysql_insert_id();
581 $query = "insert into `alerts` set `memid`='$memid',
582 `general`='".$_SESSION['signup']['general']."',
583 `country`='".$_SESSION['signup']['country']."',
584 `regional`='".$_SESSION['signup']['regional']."',
585 `radius`='".$_SESSION['signup']['radius']."'";
586 mysql_query($query);
587 write_user_agreement($memid, "CCA", "account creation", "", 1);
588
589 $body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
590 $body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n";
591 $body .= _("Best regards")."\n"._("CAcert.org Support!");
592
593 sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
594 foreach($_SESSION['signup'] as $key => $val)
595 $_SESSION['signup'][$key] = "";
596 unset($_SESSION['signup']);
597 }
598 }
599
600 if($oldid == 11 && $process != "")
601 {
602 $who = stripslashes($_REQUEST['who']);
603 $email = stripslashes($_REQUEST['email']);
604 $subject = stripslashes($_REQUEST['subject']);
605 $message = stripslashes($_REQUEST['message']);
606 $secrethash = $_REQUEST['secrethash2'];
607
608 //check for spam via honeypot
609 if(!isset($_REQUEST['robotest']) || !empty($_REQUEST['robotest'])){
610 echo _("Form could not be sent.");
611 showfooter();
612 exit;
613 }
614
615 if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "")
616 {
617 $id = $oldid;
618 $process = "";
619 $_SESSION['_config']['errmsg'] = _("This seems like you have cookies or Javascript disabled, cannot continue.");
620 $oldid = 0;
621
622 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
623 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
624 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
625 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
626 echo _("This seems like you have cookies or Javascript disabled, cannot continue.");
627 die;
628 }
629 if(strstr($subject, "botmetka") || strstr($subject, "servermetka") || strstr($who,"\n") || strstr($email,"\n") || strstr($subject,"\n") )
630 {
631 $id = $oldid;
632 $process = "";
633 $_SESSION['_config']['errmsg'] = _("This seems like potential spam, cannot continue.");
634 $oldid = 0;
635
636 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
637 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
638 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
639 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
640 echo _("This seems like potential spam, cannot continue.");
641 die;
642 }
643
644
645 if(trim($who) == "" || trim($email) == "" || trim($subject) == "" || trim($message) == "")
646 {
647 $id = $oldid;
648 $process = "";
649 $_SESSION['_config']['errmsg'] = _("All fields are mandatory.")."<br>\n";
650 $oldid = 0;
651 }
652 }
653
654 if($oldid == 11 && $process != "")
655 {
656 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
657 if (isset($process[0])){
658 sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
659 showheader(_("Welcome to CAcert.org"));
660 echo _("Your message has been sent to the general support list.");
661 showfooter();
662 exit;
663 }
664 if (isset($process[1])){
665 sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
666 showheader(_("Welcome to CAcert.org"));
667 echo _("Your message has been sent.");
668 showfooter();
669 exit;
670 }
671 }
672
673 if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)
674 $_SESSION['signup']['year'] = "19XX";
675
676 if ($id == 12)
677 {
678 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
679 $newUrl = $protocol . '://wiki.cacert.org/FAQ/AboutUs';
680 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
681 }
682
683 if ($id == 19)
684 {
685 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
686 $newUrl = $protocol . '://wiki.cacert.org/FAQ/Privileges';
687 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
688 }
689
690 if ($id == 8)
691 {
692 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
693 $newUrl = $protocol . '://wiki.cacert.org/Board';
694 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
695 }
696
697
698 showheader(_("Welcome to CAcert.org"));
699 includeit($id);
700 showfooter();
701 ?>