source code taken from cacert-20100204.tar.bz2
[cacert.git] / cacert / www / index.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */ ?>
18 <?
19
20 $id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
21 $oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
22 $process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
23
24 if($id == 2)
25 $id = 0;
26
27 $_SESSION['_config']['errmsg'] = "";
28
29 if($id == 17 || $id == 20)
30 {
31 include_once("../pages/index/$id.php");
32 exit;
33 }
34
35 loadem("index");
36
37 $_SESSION['_config']['hostname'] = $_SERVER['HTTP_HOST'];
38
39 if(($oldid == 6 || $id == 6) && intval($_SESSION['lostpw']['user']['id']) < 1)
40 {
41 $oldid = 0;
42 $id = 5;
43 }
44
45 if($oldid == 6 && $process != "")
46 {
47 $body = "";
48 $answers = 0;
49 $qs = array();
50 $id = $oldid;
51 $oldid = 0;
52 if(array_key_exists('Q1',$_REQUEST) && $_REQUEST['Q1'])
53 {
54 $_SESSION['lostpw']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
55
56 if(stripslashes(strtolower($_SESSION['lostpw']['A1'])) == strtolower($_SESSION['lostpw']['user']['A1']))
57 $answers++;
58 $body .= "System: ".$_SESSION['lostpw']['user']['A1']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A1']))."\n";
59 }
60 if(array_key_exists('Q2',$_REQUEST) && $_REQUEST['Q2'])
61 {
62 $_SESSION['lostpw']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
63
64 if(stripslashes(strtolower($_SESSION['lostpw']['A2'])) == strtolower($_SESSION['lostpw']['user']['A2']))
65 $answers++;
66 $body .= "System: ".$_SESSION['lostpw']['user']['A2']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A2']))."\n";
67 }
68 if(array_key_exists('Q3',$_REQUEST) && $_REQUEST['Q3'])
69 {
70 $_SESSION['lostpw']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
71
72 if(stripslashes(strtolower($_SESSION['lostpw']['A3'])) == strtolower($_SESSION['lostpw']['user']['A3']))
73 $answers++;
74 $body .= "System: ".$_SESSION['lostpw']['user']['A3']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A3']))."\n";
75 }
76 if(array_key_exists('Q4',$_REQUEST) && $_REQUEST['Q4'])
77 {
78 $_SESSION['lostpw']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
79
80 if(stripslashes(strtolower($_SESSION['lostpw']['A4'])) == strtolower($_SESSION['lostpw']['user']['A4']))
81 $answers++;
82 $body .= "System: ".$_SESSION['lostpw']['user']['A4']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A4']))."\n";
83 }
84 if(array_key_exists('Q5',$_REQUEST) && $_REQUEST['Q5'])
85 {
86 $_SESSION['lostpw']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
87
88 if(stripslashes(strtolower($_SESSION['lostpw']['A5'])) == strtolower($_SESSION['lostpw']['user']['A5']))
89 $answers++;
90 $body .= "System: ".$_SESSION['lostpw']['user']['A5']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A5']))."\n";
91 }
92
93 $_SESSION['lostpw']['pw1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass1']))));
94 $_SESSION['lostpw']['pw2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass2']))));
95
96 if($answers < $_SESSION['lostpw']['total'] || $answers < 3)
97 {
98 $body = "Someone has just attempted to update the pass phrase on the following account:\n".
99 "Username(ID): ".$_SESSION['lostpw']['user']['email']."(".$_SESSION['lostpw']['user']['id'].")\n".
100 "email: ".$_SESSION['lostpw']['user']['email']."\n".
101 "Requested Pass Phrase: ".$_SESSION['lostpw']['pw1']."\n".
102 "IP/Hostname: ".$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:"")."\n".
103 "---------------------------------------------------------------------\n".$body.
104 "---------------------------------------------------------------------\n";
105 sendmail("support@cacert.org", "[CAcert.org] Requested Pass Phrase Change", $body,
106 $_SESSION['lostpw']['user']['email'], "", "", $_SESSION['lostpw']['user']['fname']);
107 $_SESSION['_config']['errmsg'] = _("You failed to get all answers correct or you didn't configure enough lost password questions for your account. System admins have been notified.");
108 } else if($_SESSION['lostpw']['pw1'] != $_SESSION['lostpw']['pw2'] || $_SESSION['lostpw']['pw1'] == "") {
109 $_SESSION['_config']['errmsg'] = _("New Pass Phrases specified don't match or were blank.");
110 } else if(strlen($_SESSION['lostpw']['pw1']) < 6) {
111 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted was too short. It must be at least 6 characters.");
112 } else {
113 $score = checkpw($_SESSION['lostpw']['pw1'], $_SESSION['lostpw']['user']['email'], $_SESSION['lostpw']['user']['fname'],
114 $_SESSION['lostpw']['user']['mname'], $_SESSION['lostpw']['user']['lname'], $_SESSION['lostpw']['user']['suffix']);
115 if($score < 3)
116 {
117 $_SESSION['_config']['errmsg'] = sprintf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
118 } else {
119 $query = "update `users` set `password`=sha1('".$_SESSION['lostpw']['pw1']."')
120 where `id`='".intval($_SESSION['lostpw']['user']['id'])."'";
121 mysql_query($query) || die(mysql_error());
122 showheader(_("Welcome to CAcert.org"));
123 echo _("Your Pass Phrase has been changed now. You can now login with your new password.");
124 showfooter();
125 exit;
126 }
127 }
128 }
129
130 if($oldid == 5 && $process != "")
131 {
132 $email = $_SESSION['lostpw']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
133 $_SESSION['lostpw']['day'] = intval($_REQUEST['day']);
134 $_SESSION['lostpw']['month'] = intval($_REQUEST['month']);
135 $_SESSION['lostpw']['year'] = intval($_REQUEST['year']);
136 $dob = $_SESSION['lostpw']['year']."-".$_SESSION['lostpw']['month']."-".$_SESSION['lostpw']['day'];
137 $query = "select * from `users` where `email`='$email' and `dob`='$dob'";
138 $res = mysql_query($query);
139 if(mysql_num_rows($res) <= 0)
140 {
141 $id = $oldid;
142 $oldid = 0;
143 $_SESSION['_config']['errmsg'] = _("Unable to match your details with any user accounts on file");
144 } else {
145 $id = 6;
146 $_SESSION['lostpw']['user'] = mysql_fetch_assoc($res);
147 }
148 }
149
150 if($id == 4 && $_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'])
151 {
152 $query = "select * from `emailcerts` where `serial`='$_SERVER[SSL_CLIENT_M_SERIAL]' and `revoked`=0 and disablelogin=0 and
153 UNIX_TIMESTAMP(`expire`) - UNIX_TIMESTAMP() > 0";
154 $res = mysql_query($query);
155 if(mysql_num_rows($res) > 0)
156 {
157 $row = mysql_fetch_assoc($res);
158 $_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='$row[memid]' and `deleted`=0 and `locked`=0"));
159 if($_SESSION['profile']['id'] != 0)
160 {
161 $_SESSION['profile']['loggedin'] = 1;
162 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
163 exit;
164 } else {
165 $_SESSION['profile']['loggedin'] = 0;
166 }
167 }
168 }
169
170 if($id == 4 && array_key_exists('profile',$_SESSION) && array_key_exists('loggedin',array($_SESSION['profile'])) && $_SESSION['profile']['loggedin'] == 1)
171 {
172 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
173 exit;
174 }
175
176 function getOTP64($otp)
177 {
178 $lookupChar = "123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*!-?%:";
179
180 for($i = 0; $i < 6; $i++)
181 $val[$i] = hexdec(substr($otp, $i * 2, 2));
182
183 $tmp1 = $val[0] >> 2;
184 $OTP = $lookupChar[$tmp1 & 63];
185 $tmp2 = $val[0] - ($tmp1 << 2);
186 $tmp1 = $val[1] >> 4;
187 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
188 $tmp2 = $val[1] - ($tmp1 << 4);
189 $tmp1 = $val[2] >> 6;
190 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
191 $tmp2 = $val[2] - ($tmp1 << 6);
192 $OTP .= $lookupChar[$tmp2 & 63];
193 $tmp1 = $val[3] >> 2;
194 $OTP .= $lookupChar[$tmp1 & 63];
195 $tmp2 = $val[3] - ($tmp1 << 2);
196 $tmp1 = $val[4] >> 4;
197 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
198 $tmp2 = $val[4] - ($tmp1 << 4);
199 $tmp1 = $val[5] >> 6;
200 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
201 $tmp2 = $val[5] - ($tmp1 << 6);
202 $OTP .= $lookupChar[$tmp2 & 63];
203
204 return $OTP;
205 }
206
207 function getOTP32($otp)
208 {
209 $lookupChar = "0123456789abcdefghkmnoprstuvwxyz";
210
211 for($i = 0; $i < 7; $i++)
212 $val[$i] = hexdec(substr($otp, $i * 2, 2));
213
214 $tmp1 = $val[0] >> 3;
215 $OTP = $lookupChar[$tmp1 & 31];
216 $tmp2 = $val[0] - ($tmp1 << 3);
217 $tmp1 = $val[1] >> 6;
218 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
219 $tmp2 = ($val[1] - ($tmp1 << 6)) >> 1;
220 $OTP .= $lookupChar[$tmp2 & 31];
221 $tmp2 = $val[1] - (($val[1] >> 1) << 1);
222 $tmp1 = $val[2] >> 4;
223 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
224 $tmp2 = $val[2] - ($tmp1 << 4);
225 $tmp1 = $val[3] >> 7;
226 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
227 $tmp2 = ($val[3] - ($tmp1 << 7)) >> 2;
228 $OTP .= $lookupChar[$tmp2 & 31];
229 $tmp2 = $val[3] - (($val[3] - ($tmp1 << 7)) >> 2) << 2;
230 $tmp1 = $val[4] >> 5;
231 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
232 $tmp2 = $val[4] - ($tmp1 << 5);
233 $OTP .= $lookupChar[$tmp2 & 31];
234 $tmp1 = $val[5] >> 3;
235 $OTP .= $lookupChar[$tmp1 & 31];
236 $tmp2 = $val[5] - ($tmp1 << 3);
237 $tmp1 = $val[6] >> 6;
238 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
239
240 return $OTP;
241 }
242
243 if($oldid == 4)
244 {
245 $oldid = 0;
246 $id = 4;
247
248 $_SESSION['_config']['errmsg'] = "";
249
250 $email = mysql_escape_string(stripslashes(strip_tags(trim($_REQUEST['email']))));
251 $pword = mysql_escape_string(stripslashes(trim($_REQUEST['pword'])));
252 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
253 `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
254 $res = mysql_query($query);
255 if(mysql_num_rows($res) <= 0)
256 {
257 $otpquery = "select * from `users` where `email`='$email' and `otphash`!='' and `verified`=1 and `deleted`=0 and `locked`=0";
258 $otpres = mysql_query($otpquery);
259 if(mysql_num_rows($otpres) > 0)
260 {
261 $otp = mysql_fetch_assoc($otpres);
262 $otphash = $otp['otphash'];
263 $otppin = $otp['otppin'];
264 if(strlen($pword) == 6)
265 {
266 $matchperiod = 18;
267 $time = round(gmdate("U") / 10);
268 } else {
269 $matchperiod = 3;
270 $time = round(gmdate("U") / 60);
271 }
272
273 $query = "delete from `otphashes` where UNIX_TIMESTAMP(`when`) <= UNIX_TIMESTAMP(NOW()) - 600";
274 mysql_query($query);
275
276 $query = "select * from `otphashes` where `username`='$email' and `otp`='$pword'";
277 if(mysql_num_rows(mysql_query($query)) <= 0)
278 {
279 $query = "insert into `otphashes` set `when`=NOW(), `username`='$email', `otp`='$pword'";
280 mysql_query($query);
281 for($i = $time - $matchperiod; $i <= $time + $matchperiod * 2; $i++)
282 {
283 if($otppin > 0)
284 $tmpmd5 = md5("$i$otphash$otppin");
285 else
286 $tmpmd5 = md5("$i$otphash");
287
288 if(strlen($pword) == 6)
289 $md5 = substr(md5("$i$otphash"), 0, 6);
290 else if(strlen($pword) == 8)
291 $md5 = getOTP64(md5("$i$otphash"));
292 else
293 $md5 = getOTP32(md5("$i$otphash"));
294
295 if($pword == $md5)
296 $res = mysql_query($otpquery);
297 }
298 }
299 }
300 }
301 if(mysql_num_rows($res) > 0)
302 {
303 $_SESSION['profile'] = "";
304 unset($_SESSION['profile']);
305 $_SESSION['profile'] = mysql_fetch_assoc($res);
306 $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".$_SESSION['profile']['id']."'";
307 mysql_query($query);
308
309 if($_SESSION['profile']['language'] == "")
310 {
311 $query = "update `users` set `language`='".$_SESSION['_config']['language']."'
312 where `id`='".$_SESSION['profile']['id']."'";
313 mysql_query($query);
314 } else {
315 $_SESSION['_config']['language'] = $_SESSION['profile']['language'];
316
317 putenv("LANG=".$_SESSION['_config']['language']);
318 setlocale(LC_ALL, $_SESSION['_config']['language']);
319
320 $domain = 'messages';
321 bindtextdomain("$domain", $_SESSION['_config']['filepath']."/locale");
322 textdomain("$domain");
323 }
324 $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
325 $res = mysql_query($query);
326 $row = mysql_fetch_assoc($res);
327 $_SESSION['profile']['points'] = $row['total'];
328 $_SESSION['profile']['loggedin'] = 1;
329 if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" ||
330 $_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" ||
331 $_SESSION['profile']['Q5'] == "")
332 {
333 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
334 $_SESSION['_config']['oldlocation'] = "account.php?id=13";
335 }
336 if($_SESSION['_config']['oldlocation'] != "")
337 header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
338 else
339 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
340 exit;
341 }
342
343 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
344 `password`=password('$pword')) and `verified`=0 and `deleted`=0";
345 $res = mysql_query($query);
346 if(mysql_num_rows($res) <= 0)
347 {
348 $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
349 } else {
350 $_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");
351 }
352 }
353
354 if($process && $oldid == 1)
355 {
356 $id = 2;
357 $oldid = 0;
358
359 $_SESSION['_config']['errmsg'] = "";
360
361 $_SESSION['signup']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
362 $_SESSION['signup']['fname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['fname']))));
363 $_SESSION['signup']['mname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['mname']))));
364 $_SESSION['signup']['lname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['lname']))));
365 $_SESSION['signup']['suffix'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['suffix']))));
366 $_SESSION['signup']['day'] = intval($_REQUEST['day']);
367 $_SESSION['signup']['month'] = intval($_REQUEST['month']);
368 $_SESSION['signup']['year'] = intval($_REQUEST['year']);
369 $_SESSION['signup']['pword1'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword1'])));
370 $_SESSION['signup']['pword2'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword2'])));
371 $_SESSION['signup']['Q1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q1']))));
372 $_SESSION['signup']['Q2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q2']))));
373 $_SESSION['signup']['Q3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q3']))));
374 $_SESSION['signup']['Q4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q4']))));
375 $_SESSION['signup']['Q5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q5']))));
376 $_SESSION['signup']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
377 $_SESSION['signup']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
378 $_SESSION['signup']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
379 $_SESSION['signup']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
380 $_SESSION['signup']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
381 $_SESSION['signup']['general'] = intval(array_key_exists('general',$_REQUEST)?$_REQUEST['general']:0);
382 $_SESSION['signup']['country'] = intval(array_key_exists('country',$_REQUEST)?$_REQUEST['country']:0);
383 $_SESSION['signup']['regional'] = intval(array_key_exists('regional',$_REQUEST)?$_REQUEST['regional']:0);
384 $_SESSION['signup']['radius'] = intval(array_key_exists('radius',$_REQUEST)?$_REQUEST['radius']:0);
385 $_SESSION['signup']['cca_agree'] = intval(array_key_exists('cca_agree',$_REQUEST)?$_REQUEST['cca_agree']:0);
386
387
388 if($_SESSION['signup']['Q1'] == $_SESSION['signup']['Q2'] ||
389 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q3'] ||
390 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q4'] ||
391 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q5'] ||
392 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q3'] ||
393 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q4'] ||
394 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q5'] ||
395 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q4'] ||
396 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q5'] ||
397 $_SESSION['signup']['Q4'] == $_SESSION['signup']['Q5'] ||
398 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q1'] ||
399 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q2'] ||
400 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q3'] ||
401 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q4'] ||
402 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q5'] ||
403 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q3'] ||
404 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q4'] ||
405 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q5'] ||
406 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q4'] ||
407 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q5'] ||
408 $_SESSION['signup']['A4'] == $_SESSION['signup']['Q5'] ||
409 $_SESSION['signup']['A1'] == $_SESSION['signup']['A2'] ||
410 $_SESSION['signup']['A1'] == $_SESSION['signup']['A3'] ||
411 $_SESSION['signup']['A1'] == $_SESSION['signup']['A4'] ||
412 $_SESSION['signup']['A1'] == $_SESSION['signup']['A5'] ||
413 $_SESSION['signup']['A2'] == $_SESSION['signup']['A3'] ||
414 $_SESSION['signup']['A2'] == $_SESSION['signup']['A4'] ||
415 $_SESSION['signup']['A2'] == $_SESSION['signup']['A5'] ||
416 $_SESSION['signup']['A3'] == $_SESSION['signup']['A4'] ||
417 $_SESSION['signup']['A3'] == $_SESSION['signup']['A5'] ||
418 $_SESSION['signup']['A4'] == $_SESSION['signup']['A5'])
419 {
420 $id = 1;
421 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
422 }
423
424 if($_SESSION['signup']['Q1'] == "" || $_SESSION['signup']['Q2'] == "" ||
425 $_SESSION['signup']['Q3'] == "" || $_SESSION['signup']['Q4'] == "" ||
426 $_SESSION['signup']['Q5'] == "")
427 {
428 $id = 1;
429 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>\n";
430 }
431 if($_SESSION['signup']['fname'] == "" || $_SESSION['signup']['lname'] == "")
432 {
433 $id = 1;
434 $_SESSION['_config']['errmsg'] .= _("First and/or last names were blank.")."<br>\n";
435 }
436 if($_SESSION['signup']['year'] < 1900 || $_SESSION['signup']['month'] < 1 || $_SESSION['signup']['month'] > 12 ||
437 $_SESSION['signup']['day'] < 1 || $_SESSION['signup']['day'] > 31 ||
438 !checkdate($_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) ||
439 mktime(0,0,0,$_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) > time() )
440 {
441 $id = 1;
442 $_SESSION['_config']['errmsg'] .= _("Invalid date of birth")."<br>\n";
443 }
444 if($_SESSION['signup']['cca_agree'] == "0")
445 {
446 $id = 1;
447 $_SESSION['_config']['errmsg'] .= _("You have to agree to the CAcert Community agreement.")."<br>\n";
448 }
449 if($_SESSION['signup']['email'] == "")
450 {
451 $id = 1;
452 $_SESSION['_config']['errmsg'] .= _("Email Address was blank")."<br>\n";
453 }
454 if($_SESSION['signup']['pword1'] == "")
455 {
456 $id = 1;
457 $_SESSION['_config']['errmsg'] .= _("Pass Phrases were blank")."<br>\n";
458 }
459 if($_SESSION['signup']['pword1'] != $_SESSION['signup']['pword2'])
460 {
461 $id = 1;
462 $_SESSION['_config']['errmsg'] .= _("Pass Phrases don't match")."<br>\n";
463 }
464
465 $score = checkpw($_SESSION['signup']['pword1'], $_SESSION['signup']['email'], $_SESSION['signup']['fname'], $_SESSION['signup']['mname'], $_SESSION['signup']['lname'], $_SESSION['signup']['suffix']);
466 if($score < 3)
467 {
468 $id = 1;
469 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored $score points out of 6.");
470 }
471
472 if($id == 2)
473 {
474 $query = "select * from `email` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
475 $res1 = mysql_query($query);
476
477 $query = "select * from `users` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
478 $res2 = mysql_query($query);
479 if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0)
480 {
481 $id = 1;
482 $_SESSION['_config']['errmsg'] .= _("This email address is currently valid in the system.")."<br>\n";
483 }
484
485 $query = "select `domain` from `baddomains` where `domain`=RIGHT('".$_SESSION['signup']['email']."', LENGTH(`domain`))";
486 $res = mysql_query($query);
487 if(mysql_num_rows($res) > 0)
488 {
489 $domain = mysql_fetch_assoc($res);
490 $domain = $domain['domain'];
491 $id = 1;
492 $_SESSION['_config']['errmsg'] .= sprintf(_("We don't allow signups from people using email addresses from %s"), $domain)."<br>\n";
493 }
494 }
495
496 if($id == 2)
497 {
498 $checkemail = checkEmail($_SESSION['signup']['email']);
499 if($checkemail != "OK")
500 {
501 $id = 1;
502 if (substr($checkemail, 0, 1) == "4")
503 {
504 $_SESSION['_config']['errmsg'] .= _("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.");
505 } else {
506 $_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid");
507 }
508 $_SESSION['_config']['errmsg'] .= "<br>\n$checkemail<br>\n";
509 }
510 }
511
512 if($id == 2)
513 {
514 $hash = make_hash();
515
516 $query = "insert into `users` set `email`='".$_SESSION['signup']['email']."',
517 `password`=sha1('".$_SESSION['signup']['pword1']."'),
518 `fname`='".$_SESSION['signup']['fname']."',
519 `mname`='".$_SESSION['signup']['mname']."',
520 `lname`='".$_SESSION['signup']['lname']."',
521 `suffix`='".$_SESSION['signup']['suffix']."',
522 `dob`='".$_SESSION['signup']['year']."-".$_SESSION['signup']['month']."-".$_SESSION['signup']['day']."',
523 `Q1`='".$_SESSION['signup']['Q1']."',
524 `Q2`='".$_SESSION['signup']['Q2']."',
525 `Q3`='".$_SESSION['signup']['Q3']."',
526 `Q4`='".$_SESSION['signup']['Q4']."',
527 `Q5`='".$_SESSION['signup']['Q5']."',
528 `A1`='".$_SESSION['signup']['A1']."',
529 `A2`='".$_SESSION['signup']['A2']."',
530 `A3`='".$_SESSION['signup']['A3']."',
531 `A4`='".$_SESSION['signup']['A4']."',
532 `A5`='".$_SESSION['signup']['A5']."',
533 `created`=NOW(), `uniqueID`=SHA1(CONCAT(NOW(),'$hash'))";
534 mysql_query($query);
535 $memid = mysql_insert_id();
536 $query = "insert into `email` set `email`='".$_SESSION['signup']['email']."',
537 `hash`='$hash',
538 `created`=NOW(),
539 `memid`='$memid'";
540 mysql_query($query);
541 $emailid = mysql_insert_id();
542 $query = "insert into `alerts` set `memid`='$memid',
543 `general`='".$_SESSION['signup']['general']."',
544 `country`='".$_SESSION['signup']['country']."',
545 `regional`='".$_SESSION['signup']['regional']."',
546 `radius`='".$_SESSION['signup']['radius']."'";
547 mysql_query($query);
548
549 $body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
550 $body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n"; //."&"."lang=".$_SESSION['_config']['language']."\n\n";
551 $body .= _("Best regards")."\n"._("CAcert.org Support!");
552
553 sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
554 foreach($_SESSION['signup'] as $key => $val)
555 $_SESSION['signup'][$key] = "";
556 unset($_SESSION['signup']);
557 }
558 }
559
560 if($oldid == 11 && $process != "")
561 {
562 $who = stripslashes($_REQUEST['who']);
563 $email = stripslashes($_REQUEST['email']);
564 $subject = stripslashes($_REQUEST['subject']);
565 $message = stripslashes($_REQUEST['message']);
566 $secrethash = $_REQUEST['secrethash2'];
567
568 if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "")
569 {
570 $id = $oldid;
571 $process = "";
572 $_SESSION['_config']['errmsg'] = _("This seems like you have cookies or Javascript disabled, cannot continue.");
573 $oldid = 0;
574
575 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
576 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
577 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
578 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
579 echo _("This seems like you have cookies or Javascript disabled, cannot continue.");
580 die;
581 }
582 if(strstr($subject, "botmetka") || strstr($subject, "servermetka") || strstr($who,"\n") || strstr($email,"\n") || strstr($subject,"\n") )
583 {
584 $id = $oldid;
585 $process = "";
586 $_SESSION['_config']['errmsg'] = _("This seems like potential spam, cannot continue.");
587 $oldid = 0;
588
589 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
590 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
591 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
592 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
593 echo _("This seems like potential spam, cannot continue.");
594 die;
595 }
596
597
598 if(trim($who) == "" || trim($email) == "" || trim($subject) == "" || trim($message) == "")
599 {
600 $id = $oldid;
601 $process = "";
602 $_SESSION['_config']['errmsg'] = _("All fields are mandatory.")."<br>\n";
603 $oldid = 0;
604 }
605 }
606
607 if($oldid == 11 && $process != "" && $_REQUEST['support'] != "yes")
608 {
609 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
610
611 sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
612 showheader(_("Welcome to CAcert.org"));
613 echo _("Your message has been sent.");
614 showfooter();
615 exit;
616 }
617
618 if($oldid == 11 && $process != "" && $_REQUEST['support'] == "yes")
619 {
620 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
621
622 sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
623 showheader(_("Welcome to CAcert.org"));
624 echo _("Your message has been sent to the general support list.");
625 showfooter();
626 exit;
627 }
628
629 if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)
630 $_SESSION['signup']['year'] = "19XX";
631
632 showheader(_("Welcome to CAcert.org"));
633 includeit($id);
634 showfooter();
635 ?>