13e8dc6ea637da952434a8870f2732490d54118d
[cacert.git] / www / index.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */ ?>
18 <?
19
20 $id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
21 $oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
22 $process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
23
24 if($id == 2)
25 $id = 0;
26
27 $_SESSION['_config']['errmsg'] = "";
28
29 if($id == 17 || $id == 20)
30 {
31 include_once("../pages/index/$id.php");
32 exit;
33 }
34
35 loadem("index");
36
37 $_SESSION['_config']['hostname'] = $_SERVER['HTTP_HOST'];
38
39 if(($oldid == 6 || $id == 6) && intval($_SESSION['lostpw']['user']['id']) < 1)
40 {
41 $oldid = 0;
42 $id = 5;
43 }
44
45 if($oldid == 6 && $process != "")
46 {
47 $body = "";
48 $answers = 0;
49 $qs = array();
50 $id = $oldid;
51 $oldid = 0;
52 if(array_key_exists('Q1',$_REQUEST) && $_REQUEST['Q1'])
53 {
54 $_SESSION['lostpw']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
55
56 if(stripslashes(strtolower($_SESSION['lostpw']['A1'])) == strtolower($_SESSION['lostpw']['user']['A1']))
57 $answers++;
58 $body .= "System: ".$_SESSION['lostpw']['user']['A1']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A1']))."\n";
59 }
60 if(array_key_exists('Q2',$_REQUEST) && $_REQUEST['Q2'])
61 {
62 $_SESSION['lostpw']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
63
64 if(stripslashes(strtolower($_SESSION['lostpw']['A2'])) == strtolower($_SESSION['lostpw']['user']['A2']))
65 $answers++;
66 $body .= "System: ".$_SESSION['lostpw']['user']['A2']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A2']))."\n";
67 }
68 if(array_key_exists('Q3',$_REQUEST) && $_REQUEST['Q3'])
69 {
70 $_SESSION['lostpw']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
71
72 if(stripslashes(strtolower($_SESSION['lostpw']['A3'])) == strtolower($_SESSION['lostpw']['user']['A3']))
73 $answers++;
74 $body .= "System: ".$_SESSION['lostpw']['user']['A3']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A3']))."\n";
75 }
76 if(array_key_exists('Q4',$_REQUEST) && $_REQUEST['Q4'])
77 {
78 $_SESSION['lostpw']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
79
80 if(stripslashes(strtolower($_SESSION['lostpw']['A4'])) == strtolower($_SESSION['lostpw']['user']['A4']))
81 $answers++;
82 $body .= "System: ".$_SESSION['lostpw']['user']['A4']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A4']))."\n";
83 }
84 if(array_key_exists('Q5',$_REQUEST) && $_REQUEST['Q5'])
85 {
86 $_SESSION['lostpw']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
87
88 if(stripslashes(strtolower($_SESSION['lostpw']['A5'])) == strtolower($_SESSION['lostpw']['user']['A5']))
89 $answers++;
90 $body .= "System: ".$_SESSION['lostpw']['user']['A5']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A5']))."\n";
91 }
92
93 $_SESSION['lostpw']['pw1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass1']))));
94 $_SESSION['lostpw']['pw2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass2']))));
95
96 if($answers < $_SESSION['lostpw']['total'] || $answers < 3)
97 {
98 $body = "Someone has just attempted to update the pass phrase on the following account:\n".
99 "Username(ID): ".$_SESSION['lostpw']['user']['email']."(".$_SESSION['lostpw']['user']['id'].")\n".
100 "email: ".$_SESSION['lostpw']['user']['email']."\n".
101 "IP/Hostname: ".$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:"")."\n".
102 "---------------------------------------------------------------------\n".$body.
103 "---------------------------------------------------------------------\n";
104 sendmail("support@cacert.org", "[CAcert.org] Requested Pass Phrase Change", $body,
105 $_SESSION['lostpw']['user']['email'], "", "", $_SESSION['lostpw']['user']['fname']);
106 $_SESSION['_config']['errmsg'] = _("You failed to get all answers correct or you didn't configure enough lost password questions for your account. System admins have been notified.");
107 } else if($_SESSION['lostpw']['pw1'] != $_SESSION['lostpw']['pw2'] || $_SESSION['lostpw']['pw1'] == "") {
108 $_SESSION['_config']['errmsg'] = _("New Pass Phrases specified don't match or were blank.");
109 } else if(strlen($_SESSION['lostpw']['pw1']) < 6) {
110 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted was too short. It must be at least 6 characters.");
111 } else {
112 $score = checkpw($_SESSION['lostpw']['pw1'], $_SESSION['lostpw']['user']['email'], $_SESSION['lostpw']['user']['fname'],
113 $_SESSION['lostpw']['user']['mname'], $_SESSION['lostpw']['user']['lname'], $_SESSION['lostpw']['user']['suffix']);
114 if($score < 3)
115 {
116 $_SESSION['_config']['errmsg'] = sprintf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
117 } else {
118 $query = "update `users` set `password`=sha1('".$_SESSION['lostpw']['pw1']."')
119 where `id`='".intval($_SESSION['lostpw']['user']['id'])."'";
120 mysql_query($query) || die(mysql_error());
121 showheader(_("Welcome to CAcert.org"));
122 echo _("Your Pass Phrase has been changed now. You can now login with your new password.");
123 showfooter();
124 exit;
125 }
126 }
127 }
128
129 if($oldid == 5 && $process != "")
130 {
131 $email = $_SESSION['lostpw']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
132 $_SESSION['lostpw']['day'] = intval($_REQUEST['day']);
133 $_SESSION['lostpw']['month'] = intval($_REQUEST['month']);
134 $_SESSION['lostpw']['year'] = intval($_REQUEST['year']);
135 $dob = $_SESSION['lostpw']['year']."-".$_SESSION['lostpw']['month']."-".$_SESSION['lostpw']['day'];
136 $query = "select * from `users` where `email`='$email' and `dob`='$dob'";
137 $res = mysql_query($query);
138 if(mysql_num_rows($res) <= 0)
139 {
140 $id = $oldid;
141 $oldid = 0;
142 $_SESSION['_config']['errmsg'] = _("Unable to match your details with any user accounts on file");
143 } else {
144 $id = 6;
145 $_SESSION['lostpw']['user'] = mysql_fetch_assoc($res);
146 }
147 }
148
149 if($id == 4 && $_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'])
150 {
151 $query = "select * from `emailcerts` where `serial`='$_SERVER[SSL_CLIENT_M_SERIAL]' and `revoked`=0 and disablelogin=0 and
152 UNIX_TIMESTAMP(`expire`) - UNIX_TIMESTAMP() > 0";
153 $res = mysql_query($query);
154 if(mysql_num_rows($res) > 0)
155 {
156 $row = mysql_fetch_assoc($res);
157 $_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='$row[memid]' and `deleted`=0 and `locked`=0"));
158 if($_SESSION['profile']['id'] != 0)
159 {
160 $_SESSION['profile']['loggedin'] = 1;
161 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
162 exit;
163 } else {
164 $_SESSION['profile']['loggedin'] = 0;
165 }
166 }
167 }
168
169 if($id == 4 && array_key_exists('profile',$_SESSION) && array_key_exists('loggedin',array($_SESSION['profile'])) && $_SESSION['profile']['loggedin'] == 1)
170 {
171 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
172 exit;
173 }
174
175 function getOTP64($otp)
176 {
177 $lookupChar = "123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*!-?%:";
178
179 for($i = 0; $i < 6; $i++)
180 $val[$i] = hexdec(substr($otp, $i * 2, 2));
181
182 $tmp1 = $val[0] >> 2;
183 $OTP = $lookupChar[$tmp1 & 63];
184 $tmp2 = $val[0] - ($tmp1 << 2);
185 $tmp1 = $val[1] >> 4;
186 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
187 $tmp2 = $val[1] - ($tmp1 << 4);
188 $tmp1 = $val[2] >> 6;
189 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
190 $tmp2 = $val[2] - ($tmp1 << 6);
191 $OTP .= $lookupChar[$tmp2 & 63];
192 $tmp1 = $val[3] >> 2;
193 $OTP .= $lookupChar[$tmp1 & 63];
194 $tmp2 = $val[3] - ($tmp1 << 2);
195 $tmp1 = $val[4] >> 4;
196 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
197 $tmp2 = $val[4] - ($tmp1 << 4);
198 $tmp1 = $val[5] >> 6;
199 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
200 $tmp2 = $val[5] - ($tmp1 << 6);
201 $OTP .= $lookupChar[$tmp2 & 63];
202
203 return $OTP;
204 }
205
206 function getOTP32($otp)
207 {
208 $lookupChar = "0123456789abcdefghkmnoprstuvwxyz";
209
210 for($i = 0; $i < 7; $i++)
211 $val[$i] = hexdec(substr($otp, $i * 2, 2));
212
213 $tmp1 = $val[0] >> 3;
214 $OTP = $lookupChar[$tmp1 & 31];
215 $tmp2 = $val[0] - ($tmp1 << 3);
216 $tmp1 = $val[1] >> 6;
217 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
218 $tmp2 = ($val[1] - ($tmp1 << 6)) >> 1;
219 $OTP .= $lookupChar[$tmp2 & 31];
220 $tmp2 = $val[1] - (($val[1] >> 1) << 1);
221 $tmp1 = $val[2] >> 4;
222 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
223 $tmp2 = $val[2] - ($tmp1 << 4);
224 $tmp1 = $val[3] >> 7;
225 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
226 $tmp2 = ($val[3] - ($tmp1 << 7)) >> 2;
227 $OTP .= $lookupChar[$tmp2 & 31];
228 $tmp2 = $val[3] - (($val[3] - ($tmp1 << 7)) >> 2) << 2;
229 $tmp1 = $val[4] >> 5;
230 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
231 $tmp2 = $val[4] - ($tmp1 << 5);
232 $OTP .= $lookupChar[$tmp2 & 31];
233 $tmp1 = $val[5] >> 3;
234 $OTP .= $lookupChar[$tmp1 & 31];
235 $tmp2 = $val[5] - ($tmp1 << 3);
236 $tmp1 = $val[6] >> 6;
237 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
238
239 return $OTP;
240 }
241
242 if($oldid == 4)
243 {
244 $oldid = 0;
245 $id = 4;
246
247 $_SESSION['_config']['errmsg'] = "";
248
249 $email = mysql_escape_string(stripslashes(strip_tags(trim($_REQUEST['email']))));
250 $pword = mysql_escape_string(stripslashes(trim($_REQUEST['pword'])));
251 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
252 `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
253 $res = mysql_query($query);
254 if(mysql_num_rows($res) <= 0)
255 {
256 $otpquery = "select * from `users` where `email`='$email' and `otphash`!='' and `verified`=1 and `deleted`=0 and `locked`=0";
257 $otpres = mysql_query($otpquery);
258 if(mysql_num_rows($otpres) > 0)
259 {
260 $otp = mysql_fetch_assoc($otpres);
261 $otphash = $otp['otphash'];
262 $otppin = $otp['otppin'];
263 if(strlen($pword) == 6)
264 {
265 $matchperiod = 18;
266 $time = round(gmdate("U") / 10);
267 } else {
268 $matchperiod = 3;
269 $time = round(gmdate("U") / 60);
270 }
271
272 $query = "delete from `otphashes` where UNIX_TIMESTAMP(`when`) <= UNIX_TIMESTAMP(NOW()) - 600";
273 mysql_query($query);
274
275 $query = "select * from `otphashes` where `username`='$email' and `otp`='$pword'";
276 if(mysql_num_rows(mysql_query($query)) <= 0)
277 {
278 $query = "insert into `otphashes` set `when`=NOW(), `username`='$email', `otp`='$pword'";
279 mysql_query($query);
280 for($i = $time - $matchperiod; $i <= $time + $matchperiod * 2; $i++)
281 {
282 if($otppin > 0)
283 $tmpmd5 = md5("$i$otphash$otppin");
284 else
285 $tmpmd5 = md5("$i$otphash");
286
287 if(strlen($pword) == 6)
288 $md5 = substr(md5("$i$otphash"), 0, 6);
289 else if(strlen($pword) == 8)
290 $md5 = getOTP64(md5("$i$otphash"));
291 else
292 $md5 = getOTP32(md5("$i$otphash"));
293
294 if($pword == $md5)
295 $res = mysql_query($otpquery);
296 }
297 }
298 }
299 }
300 if(mysql_num_rows($res) > 0)
301 {
302 $_SESSION['profile'] = "";
303 unset($_SESSION['profile']);
304 $_SESSION['profile'] = mysql_fetch_assoc($res);
305 $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".$_SESSION['profile']['id']."'";
306 mysql_query($query);
307
308 if($_SESSION['profile']['language'] == "")
309 {
310 $query = "update `users` set `language`='".$_SESSION['_config']['language']."'
311 where `id`='".$_SESSION['profile']['id']."'";
312 mysql_query($query);
313 } else {
314 $_SESSION['_config']['language'] = $_SESSION['profile']['language'];
315
316 putenv("LANG=".$_SESSION['_config']['language']);
317 setlocale(LC_ALL, $_SESSION['_config']['language']);
318
319 $domain = 'messages';
320 bindtextdomain("$domain", $_SESSION['_config']['filepath']."/locale");
321 textdomain("$domain");
322 }
323 $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
324 $res = mysql_query($query);
325 $row = mysql_fetch_assoc($res);
326 $_SESSION['profile']['points'] = $row['total'];
327 $_SESSION['profile']['loggedin'] = 1;
328 if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" ||
329 $_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" ||
330 $_SESSION['profile']['Q5'] == "")
331 {
332 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
333 $_SESSION['_config']['oldlocation'] = "account.php?id=13";
334 }
335 if($_SESSION['_config']['oldlocation'] != "")
336 header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
337 else
338 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
339 exit;
340 }
341
342 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
343 `password`=password('$pword')) and `verified`=0 and `deleted`=0";
344 $res = mysql_query($query);
345 if(mysql_num_rows($res) <= 0)
346 {
347 $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
348 } else {
349 $_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");
350 }
351 }
352
353 if($process && $oldid == 1)
354 {
355 $id = 2;
356 $oldid = 0;
357
358 $_SESSION['_config']['errmsg'] = "";
359
360 $_SESSION['signup']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
361 $_SESSION['signup']['fname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['fname']))));
362 $_SESSION['signup']['mname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['mname']))));
363 $_SESSION['signup']['lname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['lname']))));
364 $_SESSION['signup']['suffix'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['suffix']))));
365 $_SESSION['signup']['day'] = intval($_REQUEST['day']);
366 $_SESSION['signup']['month'] = intval($_REQUEST['month']);
367 $_SESSION['signup']['year'] = intval($_REQUEST['year']);
368 $_SESSION['signup']['pword1'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword1'])));
369 $_SESSION['signup']['pword2'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword2'])));
370 $_SESSION['signup']['Q1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q1']))));
371 $_SESSION['signup']['Q2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q2']))));
372 $_SESSION['signup']['Q3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q3']))));
373 $_SESSION['signup']['Q4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q4']))));
374 $_SESSION['signup']['Q5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q5']))));
375 $_SESSION['signup']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
376 $_SESSION['signup']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
377 $_SESSION['signup']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
378 $_SESSION['signup']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
379 $_SESSION['signup']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
380 $_SESSION['signup']['general'] = intval(array_key_exists('general',$_REQUEST)?$_REQUEST['general']:0);
381 $_SESSION['signup']['country'] = intval(array_key_exists('country',$_REQUEST)?$_REQUEST['country']:0);
382 $_SESSION['signup']['regional'] = intval(array_key_exists('regional',$_REQUEST)?$_REQUEST['regional']:0);
383 $_SESSION['signup']['radius'] = intval(array_key_exists('radius',$_REQUEST)?$_REQUEST['radius']:0);
384 $_SESSION['signup']['cca_agree'] = intval(array_key_exists('cca_agree',$_REQUEST)?$_REQUEST['cca_agree']:0);
385
386
387 if($_SESSION['signup']['Q1'] == $_SESSION['signup']['Q2'] ||
388 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q3'] ||
389 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q4'] ||
390 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q5'] ||
391 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q3'] ||
392 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q4'] ||
393 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q5'] ||
394 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q4'] ||
395 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q5'] ||
396 $_SESSION['signup']['Q4'] == $_SESSION['signup']['Q5'] ||
397 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q1'] ||
398 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q2'] ||
399 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q3'] ||
400 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q4'] ||
401 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q5'] ||
402 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q3'] ||
403 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q4'] ||
404 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q5'] ||
405 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q4'] ||
406 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q5'] ||
407 $_SESSION['signup']['A4'] == $_SESSION['signup']['Q5'] ||
408 $_SESSION['signup']['A1'] == $_SESSION['signup']['A2'] ||
409 $_SESSION['signup']['A1'] == $_SESSION['signup']['A3'] ||
410 $_SESSION['signup']['A1'] == $_SESSION['signup']['A4'] ||
411 $_SESSION['signup']['A1'] == $_SESSION['signup']['A5'] ||
412 $_SESSION['signup']['A2'] == $_SESSION['signup']['A3'] ||
413 $_SESSION['signup']['A2'] == $_SESSION['signup']['A4'] ||
414 $_SESSION['signup']['A2'] == $_SESSION['signup']['A5'] ||
415 $_SESSION['signup']['A3'] == $_SESSION['signup']['A4'] ||
416 $_SESSION['signup']['A3'] == $_SESSION['signup']['A5'] ||
417 $_SESSION['signup']['A4'] == $_SESSION['signup']['A5'])
418 {
419 $id = 1;
420 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
421 }
422
423 if($_SESSION['signup']['Q1'] == "" || $_SESSION['signup']['Q2'] == "" ||
424 $_SESSION['signup']['Q3'] == "" || $_SESSION['signup']['Q4'] == "" ||
425 $_SESSION['signup']['Q5'] == "")
426 {
427 $id = 1;
428 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>\n";
429 }
430 if($_SESSION['signup']['fname'] == "" || $_SESSION['signup']['lname'] == "")
431 {
432 $id = 1;
433 $_SESSION['_config']['errmsg'] .= _("First and/or last names were blank.")."<br>\n";
434 }
435 if($_SESSION['signup']['year'] < 1900 || $_SESSION['signup']['month'] < 1 || $_SESSION['signup']['month'] > 12 ||
436 $_SESSION['signup']['day'] < 1 || $_SESSION['signup']['day'] > 31 ||
437 !checkdate($_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) ||
438 mktime(0,0,0,$_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) > time() )
439 {
440 $id = 1;
441 $_SESSION['_config']['errmsg'] .= _("Invalid date of birth")."<br>\n";
442 }
443 if($_SESSION['signup']['cca_agree'] == "0")
444 {
445 $id = 1;
446 $_SESSION['_config']['errmsg'] .= _("You have to agree to the CAcert Community agreement.")."<br>\n";
447 }
448 if($_SESSION['signup']['email'] == "")
449 {
450 $id = 1;
451 $_SESSION['_config']['errmsg'] .= _("Email Address was blank")."<br>\n";
452 }
453 if($_SESSION['signup']['pword1'] == "")
454 {
455 $id = 1;
456 $_SESSION['_config']['errmsg'] .= _("Pass Phrases were blank")."<br>\n";
457 }
458 if($_SESSION['signup']['pword1'] != $_SESSION['signup']['pword2'])
459 {
460 $id = 1;
461 $_SESSION['_config']['errmsg'] .= _("Pass Phrases don't match")."<br>\n";
462 }
463
464 $score = checkpw($_SESSION['signup']['pword1'], $_SESSION['signup']['email'], $_SESSION['signup']['fname'], $_SESSION['signup']['mname'], $_SESSION['signup']['lname'], $_SESSION['signup']['suffix']);
465 if($score < 3)
466 {
467 $id = 1;
468 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored $score points out of 6.");
469 }
470
471 if($id == 2)
472 {
473 $query = "select * from `email` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
474 $res1 = mysql_query($query);
475
476 $query = "select * from `users` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
477 $res2 = mysql_query($query);
478 if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0)
479 {
480 $id = 1;
481 $_SESSION['_config']['errmsg'] .= _("This email address is currently valid in the system.")."<br>\n";
482 }
483
484 $query = "select `domain` from `baddomains` where `domain`=RIGHT('".$_SESSION['signup']['email']."', LENGTH(`domain`))";
485 $res = mysql_query($query);
486 if(mysql_num_rows($res) > 0)
487 {
488 $domain = mysql_fetch_assoc($res);
489 $domain = $domain['domain'];
490 $id = 1;
491 $_SESSION['_config']['errmsg'] .= sprintf(_("We don't allow signups from people using email addresses from %s"), $domain)."<br>\n";
492 }
493 }
494
495 if($id == 2)
496 {
497 $checkemail = checkEmail($_SESSION['signup']['email']);
498 if($checkemail != "OK")
499 {
500 $id = 1;
501 if (substr($checkemail, 0, 1) == "4")
502 {
503 $_SESSION['_config']['errmsg'] .= _("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.");
504 } else {
505 $_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid");
506 }
507 $_SESSION['_config']['errmsg'] .= "<br>\n$checkemail<br>\n";
508 }
509 }
510
511 if($id == 2)
512 {
513 $hash = make_hash();
514
515 $query = "insert into `users` set `email`='".$_SESSION['signup']['email']."',
516 `password`=sha1('".$_SESSION['signup']['pword1']."'),
517 `fname`='".$_SESSION['signup']['fname']."',
518 `mname`='".$_SESSION['signup']['mname']."',
519 `lname`='".$_SESSION['signup']['lname']."',
520 `suffix`='".$_SESSION['signup']['suffix']."',
521 `dob`='".$_SESSION['signup']['year']."-".$_SESSION['signup']['month']."-".$_SESSION['signup']['day']."',
522 `Q1`='".$_SESSION['signup']['Q1']."',
523 `Q2`='".$_SESSION['signup']['Q2']."',
524 `Q3`='".$_SESSION['signup']['Q3']."',
525 `Q4`='".$_SESSION['signup']['Q4']."',
526 `Q5`='".$_SESSION['signup']['Q5']."',
527 `A1`='".$_SESSION['signup']['A1']."',
528 `A2`='".$_SESSION['signup']['A2']."',
529 `A3`='".$_SESSION['signup']['A3']."',
530 `A4`='".$_SESSION['signup']['A4']."',
531 `A5`='".$_SESSION['signup']['A5']."',
532 `created`=NOW(), `uniqueID`=SHA1(CONCAT(NOW(),'$hash'))";
533 mysql_query($query);
534 $memid = mysql_insert_id();
535 $query = "insert into `email` set `email`='".$_SESSION['signup']['email']."',
536 `hash`='$hash',
537 `created`=NOW(),
538 `memid`='$memid'";
539 mysql_query($query);
540 $emailid = mysql_insert_id();
541 $query = "insert into `alerts` set `memid`='$memid',
542 `general`='".$_SESSION['signup']['general']."',
543 `country`='".$_SESSION['signup']['country']."',
544 `regional`='".$_SESSION['signup']['regional']."',
545 `radius`='".$_SESSION['signup']['radius']."'";
546 mysql_query($query);
547
548 $body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
549 $body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n"; //."&"."lang=".$_SESSION['_config']['language']."\n\n";
550 $body .= _("Best regards")."\n"._("CAcert.org Support!");
551
552 sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
553 foreach($_SESSION['signup'] as $key => $val)
554 $_SESSION['signup'][$key] = "";
555 unset($_SESSION['signup']);
556 }
557 }
558
559 if($oldid == 11 && $process != "")
560 {
561 $who = stripslashes($_REQUEST['who']);
562 $email = stripslashes($_REQUEST['email']);
563 $subject = stripslashes($_REQUEST['subject']);
564 $message = stripslashes($_REQUEST['message']);
565 $secrethash = $_REQUEST['secrethash2'];
566
567 if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "")
568 {
569 $id = $oldid;
570 $process = "";
571 $_SESSION['_config']['errmsg'] = _("This seems like you have cookies or Javascript disabled, cannot continue.");
572 $oldid = 0;
573
574 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
575 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
576 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
577 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
578 echo _("This seems like you have cookies or Javascript disabled, cannot continue.");
579 die;
580 }
581 if(strstr($subject, "botmetka") || strstr($subject, "servermetka") || strstr($who,"\n") || strstr($email,"\n") || strstr($subject,"\n") )
582 {
583 $id = $oldid;
584 $process = "";
585 $_SESSION['_config']['errmsg'] = _("This seems like potential spam, cannot continue.");
586 $oldid = 0;
587
588 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
589 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
590 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
591 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
592 echo _("This seems like potential spam, cannot continue.");
593 die;
594 }
595
596
597 if(trim($who) == "" || trim($email) == "" || trim($subject) == "" || trim($message) == "")
598 {
599 $id = $oldid;
600 $process = "";
601 $_SESSION['_config']['errmsg'] = _("All fields are mandatory.")."<br>\n";
602 $oldid = 0;
603 }
604 }
605
606 if($oldid == 11 && $process != "" && $_REQUEST['support'] != "yes")
607 {
608 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
609
610 sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
611 showheader(_("Welcome to CAcert.org"));
612 echo _("Your message has been sent.");
613 showfooter();
614 exit;
615 }
616
617 if($oldid == 11 && $process != "" && $_REQUEST['support'] == "yes")
618 {
619 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
620
621 sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
622 showheader(_("Welcome to CAcert.org"));
623 echo _("Your message has been sent to the general support list.");
624 showfooter();
625 exit;
626 }
627
628 if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)
629 $_SESSION['signup']['year'] = "19XX";
630
631 if ($id == 19)
632 {
633 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
634 $newUrl = $protocol . '://wiki.cacert.org/FAQ/Privileges';
635 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
636 }
637
638 showheader(_("Welcome to CAcert.org"));
639 includeit($id);
640 showfooter();
641 ?>