Merge branch 'bug-1276' into release
[cacert-devel.git] / www / index.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */
18
19 require_once('../includes/lib/l10n.php');
20
21
22 $id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
23 $oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
24 $process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
25
26 if($id == 2)
27 $id = 0;
28
29 $_SESSION['_config']['errmsg'] = "";
30
31 if($id == 17 || $id == 20)
32 {
33 include_once("../pages/index/$id.php");
34 exit;
35 }
36
37 loadem("index");
38
39 $_SESSION['_config']['hostname'] = $_SERVER['HTTP_HOST'];
40
41 if(($oldid == 6 || $id == 6) && intval($_SESSION['lostpw']['user']['id']) < 1)
42 {
43 $oldid = 0;
44 $id = 5;
45 }
46
47 if($oldid == 6 && $process != "")
48 {
49 $body = "";
50 $answers = 0;
51 $qs = array();
52 $id = $oldid;
53 $oldid = 0;
54 if(array_key_exists('Q1',$_REQUEST) && $_REQUEST['Q1'])
55 {
56 $_SESSION['lostpw']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
57
58 if(stripslashes(strtolower($_SESSION['lostpw']['A1'])) == strtolower($_SESSION['lostpw']['user']['A1']))
59 $answers++;
60 $body .= "System: ".$_SESSION['lostpw']['user']['A1']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A1']))."\n";
61 }
62 if(array_key_exists('Q2',$_REQUEST) && $_REQUEST['Q2'])
63 {
64 $_SESSION['lostpw']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
65
66 if(stripslashes(strtolower($_SESSION['lostpw']['A2'])) == strtolower($_SESSION['lostpw']['user']['A2']))
67 $answers++;
68 $body .= "System: ".$_SESSION['lostpw']['user']['A2']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A2']))."\n";
69 }
70 if(array_key_exists('Q3',$_REQUEST) && $_REQUEST['Q3'])
71 {
72 $_SESSION['lostpw']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
73
74 if(stripslashes(strtolower($_SESSION['lostpw']['A3'])) == strtolower($_SESSION['lostpw']['user']['A3']))
75 $answers++;
76 $body .= "System: ".$_SESSION['lostpw']['user']['A3']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A3']))."\n";
77 }
78 if(array_key_exists('Q4',$_REQUEST) && $_REQUEST['Q4'])
79 {
80 $_SESSION['lostpw']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
81
82 if(stripslashes(strtolower($_SESSION['lostpw']['A4'])) == strtolower($_SESSION['lostpw']['user']['A4']))
83 $answers++;
84 $body .= "System: ".$_SESSION['lostpw']['user']['A4']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A4']))."\n";
85 }
86 if(array_key_exists('Q5',$_REQUEST) && $_REQUEST['Q5'])
87 {
88 $_SESSION['lostpw']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
89
90 if(stripslashes(strtolower($_SESSION['lostpw']['A5'])) == strtolower($_SESSION['lostpw']['user']['A5']))
91 $answers++;
92 $body .= "System: ".$_SESSION['lostpw']['user']['A5']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A5']))."\n";
93 }
94
95 $_SESSION['lostpw']['pw1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass1']))));
96 $_SESSION['lostpw']['pw2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass2']))));
97
98 if($answers < $_SESSION['lostpw']['total'] || $answers < 3)
99 {
100 $body = "Someone has just attempted to update the pass phrase on the following account:\n".
101 "Username(ID): ".$_SESSION['lostpw']['user']['email']."(".$_SESSION['lostpw']['user']['id'].")\n".
102 "email: ".$_SESSION['lostpw']['user']['email']."\n".
103 "IP/Hostname: ".$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:"")."\n".
104 "---------------------------------------------------------------------\n".$body.
105 "---------------------------------------------------------------------\n";
106 sendmail("support@cacert.org", "[CAcert.org] Requested Pass Phrase Change", $body,
107 $_SESSION['lostpw']['user']['email'], "", "", $_SESSION['lostpw']['user']['fname']);
108 $_SESSION['_config']['errmsg'] = _("You failed to get all answers correct or you didn't configure enough lost password questions for your account. System admins have been notified.");
109 } else if($_SESSION['lostpw']['pw1'] != $_SESSION['lostpw']['pw2'] || $_SESSION['lostpw']['pw1'] == "") {
110 $_SESSION['_config']['errmsg'] = _("New Pass Phrases specified don't match or were blank.");
111 } else if(strlen($_SESSION['lostpw']['pw1']) < 6) {
112 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted was too short. It must be at least 6 characters.");
113 } else {
114 $score = checkpw($_SESSION['lostpw']['pw1'], $_SESSION['lostpw']['user']['email'], $_SESSION['lostpw']['user']['fname'],
115 $_SESSION['lostpw']['user']['mname'], $_SESSION['lostpw']['user']['lname'], $_SESSION['lostpw']['user']['suffix']);
116 if($score < 3)
117 {
118 $_SESSION['_config']['errmsg'] = sprintf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
119 } else {
120 $query = "update `users` set `password`=sha1('".$_SESSION['lostpw']['pw1']."')
121 where `id`='".intval($_SESSION['lostpw']['user']['id'])."'";
122 mysql_query($query) || die(mysql_error());
123 showheader(_("Welcome to CAcert.org"));
124 echo _("Your Pass Phrase has been changed now. You can now login with your new password.");
125 showfooter();
126 exit;
127 }
128 }
129 }
130
131 if($oldid == 5 && $process != "")
132 {
133 $email = $_SESSION['lostpw']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
134 $_SESSION['lostpw']['day'] = intval($_REQUEST['day']);
135 $_SESSION['lostpw']['month'] = intval($_REQUEST['month']);
136 $_SESSION['lostpw']['year'] = intval($_REQUEST['year']);
137 $dob = $_SESSION['lostpw']['year']."-".$_SESSION['lostpw']['month']."-".$_SESSION['lostpw']['day'];
138 $query = "select * from `users` where `email`='$email' and `dob`='$dob'";
139 $res = mysql_query($query);
140 if(mysql_num_rows($res) <= 0)
141 {
142 $id = $oldid;
143 $oldid = 0;
144 $_SESSION['_config']['errmsg'] = _("Unable to match your details with any user accounts on file");
145 } else {
146 $id = 6;
147 $_SESSION['lostpw']['user'] = mysql_fetch_assoc($res);
148 }
149 }
150
151 if($id == 4 && $_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'])
152 {
153 include_once("../includes/lib/general.php");
154 $user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'],
155 $_SERVER['SSL_CLIENT_I_DN_CN']);
156
157 if($user_id >= 0)
158 {
159 $_SESSION['profile'] = mysql_fetch_assoc(mysql_query(
160 "select * from `users` where
161 `id`='$user_id' and `deleted`=0 and `locked`=0"));
162
163 if($_SESSION['profile']['id'] != 0)
164 {
165 $_SESSION['profile']['loggedin'] = 1;
166 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
167 exit;
168 } else {
169 $_SESSION['profile']['loggedin'] = 0;
170 }
171 }
172 }
173
174 if($id == 4 && array_key_exists('profile',$_SESSION) && array_key_exists('loggedin',array($_SESSION['profile'])) && $_SESSION['profile']['loggedin'] == 1)
175 {
176 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
177 exit;
178 }
179
180 function getOTP64($otp)
181 {
182 $lookupChar = "123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*!-?%:";
183
184 for($i = 0; $i < 6; $i++)
185 $val[$i] = hexdec(substr($otp, $i * 2, 2));
186
187 $tmp1 = $val[0] >> 2;
188 $OTP = $lookupChar[$tmp1 & 63];
189 $tmp2 = $val[0] - ($tmp1 << 2);
190 $tmp1 = $val[1] >> 4;
191 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
192 $tmp2 = $val[1] - ($tmp1 << 4);
193 $tmp1 = $val[2] >> 6;
194 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
195 $tmp2 = $val[2] - ($tmp1 << 6);
196 $OTP .= $lookupChar[$tmp2 & 63];
197 $tmp1 = $val[3] >> 2;
198 $OTP .= $lookupChar[$tmp1 & 63];
199 $tmp2 = $val[3] - ($tmp1 << 2);
200 $tmp1 = $val[4] >> 4;
201 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
202 $tmp2 = $val[4] - ($tmp1 << 4);
203 $tmp1 = $val[5] >> 6;
204 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
205 $tmp2 = $val[5] - ($tmp1 << 6);
206 $OTP .= $lookupChar[$tmp2 & 63];
207
208 return $OTP;
209 }
210
211 function getOTP32($otp)
212 {
213 $lookupChar = "0123456789abcdefghkmnoprstuvwxyz";
214
215 for($i = 0; $i < 7; $i++)
216 $val[$i] = hexdec(substr($otp, $i * 2, 2));
217
218 $tmp1 = $val[0] >> 3;
219 $OTP = $lookupChar[$tmp1 & 31];
220 $tmp2 = $val[0] - ($tmp1 << 3);
221 $tmp1 = $val[1] >> 6;
222 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
223 $tmp2 = ($val[1] - ($tmp1 << 6)) >> 1;
224 $OTP .= $lookupChar[$tmp2 & 31];
225 $tmp2 = $val[1] - (($val[1] >> 1) << 1);
226 $tmp1 = $val[2] >> 4;
227 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
228 $tmp2 = $val[2] - ($tmp1 << 4);
229 $tmp1 = $val[3] >> 7;
230 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
231 $tmp2 = ($val[3] - ($tmp1 << 7)) >> 2;
232 $OTP .= $lookupChar[$tmp2 & 31];
233 $tmp2 = $val[3] - (($val[3] - ($tmp1 << 7)) >> 2) << 2;
234 $tmp1 = $val[4] >> 5;
235 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
236 $tmp2 = $val[4] - ($tmp1 << 5);
237 $OTP .= $lookupChar[$tmp2 & 31];
238 $tmp1 = $val[5] >> 3;
239 $OTP .= $lookupChar[$tmp1 & 31];
240 $tmp2 = $val[5] - ($tmp1 << 3);
241 $tmp1 = $val[6] >> 6;
242 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
243
244 return $OTP;
245 }
246
247 if($oldid == 4)
248 {
249 $oldid = 0;
250 $id = 4;
251
252 $_SESSION['_config']['errmsg'] = "";
253
254 $email = mysql_escape_string(stripslashes(strip_tags(trim($_REQUEST['email']))));
255 $pword = mysql_escape_string(stripslashes(trim($_REQUEST['pword'])));
256 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
257 `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
258 $res = mysql_query($query);
259 if(mysql_num_rows($res) <= 0)
260 {
261 $otpquery = "select * from `users` where `email`='$email' and `otphash`!='' and `verified`=1 and `deleted`=0 and `locked`=0";
262 $otpres = mysql_query($otpquery);
263 if(mysql_num_rows($otpres) > 0)
264 {
265 $otp = mysql_fetch_assoc($otpres);
266 $otphash = $otp['otphash'];
267 $otppin = $otp['otppin'];
268 if(strlen($pword) == 6)
269 {
270 $matchperiod = 18;
271 $time = round(gmdate("U") / 10);
272 } else {
273 $matchperiod = 3;
274 $time = round(gmdate("U") / 60);
275 }
276
277 $query = "delete from `otphashes` where UNIX_TIMESTAMP(`when`) <= UNIX_TIMESTAMP(NOW()) - 600";
278 mysql_query($query);
279
280 $query = "select * from `otphashes` where `username`='$email' and `otp`='$pword'";
281 if(mysql_num_rows(mysql_query($query)) <= 0)
282 {
283 $query = "insert into `otphashes` set `when`=NOW(), `username`='$email', `otp`='$pword'";
284 mysql_query($query);
285 for($i = $time - $matchperiod; $i <= $time + $matchperiod * 2; $i++)
286 {
287 if($otppin > 0)
288 $tmpmd5 = md5("$i$otphash$otppin");
289 else
290 $tmpmd5 = md5("$i$otphash");
291
292 if(strlen($pword) == 6)
293 $md5 = substr(md5("$i$otphash"), 0, 6);
294 else if(strlen($pword) == 8)
295 $md5 = getOTP64(md5("$i$otphash"));
296 else
297 $md5 = getOTP32(md5("$i$otphash"));
298
299 if($pword == $md5)
300 $res = mysql_query($otpquery);
301 }
302 }
303 }
304 }
305 if(mysql_num_rows($res) > 0)
306 {
307 $_SESSION['profile'] = "";
308 unset($_SESSION['profile']);
309 $_SESSION['profile'] = mysql_fetch_assoc($res);
310 $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".intval($_SESSION['profile']['id'])."'";
311 mysql_query($query);
312
313 if($_SESSION['profile']['language'] == "")
314 {
315 $query = "update `users` set `language`='".L10n::get_translation()."'
316 where `id`='".intval($_SESSION['profile']['id'])."'";
317 mysql_query($query);
318 } else {
319 L10n::set_translation($_SESSION['profile']['language']);
320 L10n::init_gettext();
321 }
322 $query = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['profile']['id'])."' and `deleted`=0 group by `to`";
323 $res = mysql_query($query);
324 $row = mysql_fetch_assoc($res);
325 $_SESSION['profile']['points'] = $row['total'];
326 $_SESSION['profile']['loggedin'] = 1;
327 if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" ||
328 $_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" ||
329 $_SESSION['profile']['Q5'] == "")
330 {
331 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
332 $_SESSION['_config']['oldlocation'] = "account.php?id=13";
333 }
334 if (checkpwlight($pword) < 3)
335 $_SESSION['_config']['oldlocation'] = "account.php?id=14&force=1";
336 if($_SESSION['_config']['oldlocation'] != "")
337 header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
338 else
339 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
340 exit;
341 }
342
343 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
344 `password`=password('$pword')) and `verified`=0 and `deleted`=0";
345 $res = mysql_query($query);
346 if(mysql_num_rows($res) <= 0)
347 {
348 $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
349 } else {
350 $_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");
351 }
352 }
353
354 if($process && $oldid == 1)
355 {
356 $id = 2;
357 $oldid = 0;
358
359 $_SESSION['_config']['errmsg'] = "";
360
361 $_SESSION['signup']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
362 $_SESSION['signup']['fname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['fname']))));
363 $_SESSION['signup']['mname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['mname']))));
364 $_SESSION['signup']['lname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['lname']))));
365 $_SESSION['signup']['suffix'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['suffix']))));
366 $_SESSION['signup']['day'] = intval($_REQUEST['day']);
367 $_SESSION['signup']['month'] = intval($_REQUEST['month']);
368 $_SESSION['signup']['year'] = intval($_REQUEST['year']);
369 $_SESSION['signup']['pword1'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword1'])));
370 $_SESSION['signup']['pword2'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword2'])));
371 $_SESSION['signup']['Q1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q1']))));
372 $_SESSION['signup']['Q2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q2']))));
373 $_SESSION['signup']['Q3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q3']))));
374 $_SESSION['signup']['Q4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q4']))));
375 $_SESSION['signup']['Q5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q5']))));
376 $_SESSION['signup']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
377 $_SESSION['signup']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
378 $_SESSION['signup']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
379 $_SESSION['signup']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
380 $_SESSION['signup']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
381 $_SESSION['signup']['general'] = intval(array_key_exists('general',$_REQUEST)?$_REQUEST['general']:0);
382 $_SESSION['signup']['country'] = intval(array_key_exists('country',$_REQUEST)?$_REQUEST['country']:0);
383 $_SESSION['signup']['regional'] = intval(array_key_exists('regional',$_REQUEST)?$_REQUEST['regional']:0);
384 $_SESSION['signup']['radius'] = intval(array_key_exists('radius',$_REQUEST)?$_REQUEST['radius']:0);
385 $_SESSION['signup']['cca_agree'] = intval(array_key_exists('cca_agree',$_REQUEST)?$_REQUEST['cca_agree']:0);
386
387
388 if($_SESSION['signup']['Q1'] == $_SESSION['signup']['Q2'] ||
389 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q3'] ||
390 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q4'] ||
391 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q5'] ||
392 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q3'] ||
393 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q4'] ||
394 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q5'] ||
395 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q4'] ||
396 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q5'] ||
397 $_SESSION['signup']['Q4'] == $_SESSION['signup']['Q5'] ||
398 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q1'] ||
399 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q2'] ||
400 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q3'] ||
401 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q4'] ||
402 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q5'] ||
403 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q3'] ||
404 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q4'] ||
405 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q5'] ||
406 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q4'] ||
407 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q5'] ||
408 $_SESSION['signup']['A4'] == $_SESSION['signup']['Q5'] ||
409 $_SESSION['signup']['A1'] == $_SESSION['signup']['A2'] ||
410 $_SESSION['signup']['A1'] == $_SESSION['signup']['A3'] ||
411 $_SESSION['signup']['A1'] == $_SESSION['signup']['A4'] ||
412 $_SESSION['signup']['A1'] == $_SESSION['signup']['A5'] ||
413 $_SESSION['signup']['A2'] == $_SESSION['signup']['A3'] ||
414 $_SESSION['signup']['A2'] == $_SESSION['signup']['A4'] ||
415 $_SESSION['signup']['A2'] == $_SESSION['signup']['A5'] ||
416 $_SESSION['signup']['A3'] == $_SESSION['signup']['A4'] ||
417 $_SESSION['signup']['A3'] == $_SESSION['signup']['A5'] ||
418 $_SESSION['signup']['A4'] == $_SESSION['signup']['A5'])
419 {
420 $id = 1;
421 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
422 }
423
424 if($_SESSION['signup']['Q1'] == "" || $_SESSION['signup']['Q2'] == "" ||
425 $_SESSION['signup']['Q3'] == "" || $_SESSION['signup']['Q4'] == "" ||
426 $_SESSION['signup']['Q5'] == "")
427 {
428 $id = 1;
429 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>\n";
430 }
431 if($_SESSION['signup']['fname'] == "" || $_SESSION['signup']['lname'] == "")
432 {
433 $id = 1;
434 $_SESSION['_config']['errmsg'] .= _("First and/or last names were blank.")."<br>\n";
435 }
436 if($_SESSION['signup']['year'] < 1900 || $_SESSION['signup']['month'] < 1 || $_SESSION['signup']['month'] > 12 ||
437 $_SESSION['signup']['day'] < 1 || $_SESSION['signup']['day'] > 31 ||
438 !checkdate($_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) ||
439 mktime(0,0,0,$_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) > time() )
440 {
441 $id = 1;
442 $_SESSION['_config']['errmsg'] .= _("Invalid date of birth")."<br>\n";
443 }
444 if($_SESSION['signup']['cca_agree'] == "0")
445 {
446 $id = 1;
447 $_SESSION['_config']['errmsg'] .= _("You have to agree to the CAcert Community agreement.")."<br>\n";
448 }
449 if($_SESSION['signup']['email'] == "")
450 {
451 $id = 1;
452 $_SESSION['_config']['errmsg'] .= _("Email Address was blank")."<br>\n";
453 }
454 if($_SESSION['signup']['pword1'] == "")
455 {
456 $id = 1;
457 $_SESSION['_config']['errmsg'] .= _("Pass Phrases were blank")."<br>\n";
458 }
459 if($_SESSION['signup']['pword1'] != $_SESSION['signup']['pword2'])
460 {
461 $id = 1;
462 $_SESSION['_config']['errmsg'] .= _("Pass Phrases don't match")."<br>\n";
463 }
464
465 $score = checkpw($_SESSION['signup']['pword1'], $_SESSION['signup']['email'], $_SESSION['signup']['fname'], $_SESSION['signup']['mname'], $_SESSION['signup']['lname'], $_SESSION['signup']['suffix']);
466 if($score < 3)
467 {
468 $id = 1;
469 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored $score points out of 6.");
470 }
471
472 if($id == 2)
473 {
474 $query = "select * from `email` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
475 $res1 = mysql_query($query);
476
477 $query = "select * from `users` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
478 $res2 = mysql_query($query);
479 if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0)
480 {
481 $id = 1;
482 $_SESSION['_config']['errmsg'] .= _("This email address is currently valid in the system.")."<br>\n";
483 }
484
485 $query = "select `domain` from `baddomains` where `domain`=RIGHT('".$_SESSION['signup']['email']."', LENGTH(`domain`))";
486 $res = mysql_query($query);
487 if(mysql_num_rows($res) > 0)
488 {
489 $domain = mysql_fetch_assoc($res);
490 $domain = $domain['domain'];
491 $id = 1;
492 $_SESSION['_config']['errmsg'] .= sprintf(_("We don't allow signups from people using email addresses from %s"), $domain)."<br>\n";
493 }
494 }
495
496 if($id == 2)
497 {
498 $checkemail = checkEmail($_SESSION['signup']['email']);
499 if($checkemail != "OK")
500 {
501 $id = 1;
502 if (substr($checkemail, 0, 1) == "4")
503 {
504 $_SESSION['_config']['errmsg'] .= _("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.");
505 } else {
506 $_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid");
507 }
508 $_SESSION['_config']['errmsg'] .= "<br>\n$checkemail<br>\n";
509 }
510 }
511
512 if($id == 2)
513 {
514 $hash = make_hash();
515
516 $query = "insert into `users` set `email`='".$_SESSION['signup']['email']."',
517 `password`=sha1('".$_SESSION['signup']['pword1']."'),
518 `fname`='".$_SESSION['signup']['fname']."',
519 `mname`='".$_SESSION['signup']['mname']."',
520 `lname`='".$_SESSION['signup']['lname']."',
521 `suffix`='".$_SESSION['signup']['suffix']."',
522 `dob`='".$_SESSION['signup']['year']."-".$_SESSION['signup']['month']."-".$_SESSION['signup']['day']."',
523 `Q1`='".$_SESSION['signup']['Q1']."',
524 `Q2`='".$_SESSION['signup']['Q2']."',
525 `Q3`='".$_SESSION['signup']['Q3']."',
526 `Q4`='".$_SESSION['signup']['Q4']."',
527 `Q5`='".$_SESSION['signup']['Q5']."',
528 `A1`='".$_SESSION['signup']['A1']."',
529 `A2`='".$_SESSION['signup']['A2']."',
530 `A3`='".$_SESSION['signup']['A3']."',
531 `A4`='".$_SESSION['signup']['A4']."',
532 `A5`='".$_SESSION['signup']['A5']."',
533 `created`=NOW(), `uniqueID`=SHA1(CONCAT(NOW(),'$hash'))";
534 mysql_query($query);
535 $memid = mysql_insert_id();
536 $query = "insert into `email` set `email`='".$_SESSION['signup']['email']."',
537 `hash`='$hash',
538 `created`=NOW(),
539 `memid`='$memid'";
540 mysql_query($query);
541 $emailid = mysql_insert_id();
542 $query = "insert into `alerts` set `memid`='$memid',
543 `general`='".$_SESSION['signup']['general']."',
544 `country`='".$_SESSION['signup']['country']."',
545 `regional`='".$_SESSION['signup']['regional']."',
546 `radius`='".$_SESSION['signup']['radius']."'";
547 mysql_query($query);
548 include_once("../includes/notary.inc.php");
549 write_user_agreement($memid, "CCA", "account creation", "", 1);
550
551 $body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
552 $body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n";
553 $body .= _("Best regards")."\n"._("CAcert.org Support!");
554
555 sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
556 foreach($_SESSION['signup'] as $key => $val)
557 $_SESSION['signup'][$key] = "";
558 unset($_SESSION['signup']);
559 }
560 }
561
562 if($oldid == 11 && $process != "")
563 {
564 $who = stripslashes($_REQUEST['who']);
565 $email = stripslashes($_REQUEST['email']);
566 $subject = stripslashes($_REQUEST['subject']);
567 $message = stripslashes($_REQUEST['message']);
568 $secrethash = $_REQUEST['secrethash2'];
569
570 //check for spam via honeypot
571 if(!isset($_REQUEST['robotest']) || !empty($_REQUEST['robotest'])){
572 echo _("Form could not be sent.");
573 showfooter();
574 exit;
575 }
576
577 if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "")
578 {
579 $id = $oldid;
580 $process = "";
581 $_SESSION['_config']['errmsg'] = _("This seems like you have cookies or Javascript disabled, cannot continue.");
582 $oldid = 0;
583
584 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
585 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
586 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
587 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
588 echo _("This seems like you have cookies or Javascript disabled, cannot continue.");
589 die;
590 }
591 if(strstr($subject, "botmetka") || strstr($subject, "servermetka") || strstr($who,"\n") || strstr($email,"\n") || strstr($subject,"\n") )
592 {
593 $id = $oldid;
594 $process = "";
595 $_SESSION['_config']['errmsg'] = _("This seems like potential spam, cannot continue.");
596 $oldid = 0;
597
598 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
599 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
600 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
601 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
602 echo _("This seems like potential spam, cannot continue.");
603 die;
604 }
605
606
607 if(trim($who) == "" || trim($email) == "" || trim($subject) == "" || trim($message) == "")
608 {
609 $id = $oldid;
610 $process = "";
611 $_SESSION['_config']['errmsg'] = _("All fields are mandatory.")."<br>\n";
612 $oldid = 0;
613 }
614 }
615
616 if($oldid == 11 && $process != "")
617 {
618 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
619 if (isset($process[0])){
620 sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
621 showheader(_("Welcome to CAcert.org"));
622 echo _("Your message has been sent to the general support list.");
623 showfooter();
624 exit;
625 }
626 if (isset($process[1])){
627 sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
628 showheader(_("Welcome to CAcert.org"));
629 echo _("Your message has been sent.");
630 showfooter();
631 exit;
632 }
633 }
634
635 if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)
636 $_SESSION['signup']['year'] = "19XX";
637
638 if ($id == 12)
639 {
640 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
641 $newUrl = $protocol . '://wiki.cacert.org/FAQ/AboutUs';
642 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
643 }
644
645 if ($id == 19)
646 {
647 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
648 $newUrl = $protocol . '://wiki.cacert.org/FAQ/Privileges';
649 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
650 }
651
652 if ($id == 8)
653 {
654 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
655 $newUrl = $protocol . '://wiki.cacert.org/Board';
656 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
657 }
658
659 showheader(_("Welcome to CAcert.org"));
660 includeit($id);
661 showfooter();
662 ?>