Source code taken from cacert-20110820.tar.bz2
[cacert.git] / www / index.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */ ?>
18 <?
19
20 $id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
21 $oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
22 $process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
23
24 if($id == 2)
25 $id = 0;
26
27 $_SESSION['_config']['errmsg'] = "";
28
29 if($id == 17 || $id == 20)
30 {
31 include_once("../pages/index/$id.php");
32 exit;
33 }
34
35 loadem("index");
36
37 $_SESSION['_config']['hostname'] = $_SERVER['HTTP_HOST'];
38
39 if(($oldid == 6 || $id == 6) && intval($_SESSION['lostpw']['user']['id']) < 1)
40 {
41 $oldid = 0;
42 $id = 5;
43 }
44
45 if($oldid == 6 && $process != "")
46 {
47 $body = "";
48 $answers = 0;
49 $qs = array();
50 $id = $oldid;
51 $oldid = 0;
52 if(array_key_exists('Q1',$_REQUEST) && $_REQUEST['Q1'])
53 {
54 $_SESSION['lostpw']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
55
56 if(stripslashes(strtolower($_SESSION['lostpw']['A1'])) == strtolower($_SESSION['lostpw']['user']['A1']))
57 $answers++;
58 $body .= "System: ".$_SESSION['lostpw']['user']['A1']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A1']))."\n";
59 }
60 if(array_key_exists('Q2',$_REQUEST) && $_REQUEST['Q2'])
61 {
62 $_SESSION['lostpw']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
63
64 if(stripslashes(strtolower($_SESSION['lostpw']['A2'])) == strtolower($_SESSION['lostpw']['user']['A2']))
65 $answers++;
66 $body .= "System: ".$_SESSION['lostpw']['user']['A2']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A2']))."\n";
67 }
68 if(array_key_exists('Q3',$_REQUEST) && $_REQUEST['Q3'])
69 {
70 $_SESSION['lostpw']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
71
72 if(stripslashes(strtolower($_SESSION['lostpw']['A3'])) == strtolower($_SESSION['lostpw']['user']['A3']))
73 $answers++;
74 $body .= "System: ".$_SESSION['lostpw']['user']['A3']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A3']))."\n";
75 }
76 if(array_key_exists('Q4',$_REQUEST) && $_REQUEST['Q4'])
77 {
78 $_SESSION['lostpw']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
79
80 if(stripslashes(strtolower($_SESSION['lostpw']['A4'])) == strtolower($_SESSION['lostpw']['user']['A4']))
81 $answers++;
82 $body .= "System: ".$_SESSION['lostpw']['user']['A4']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A4']))."\n";
83 }
84 if(array_key_exists('Q5',$_REQUEST) && $_REQUEST['Q5'])
85 {
86 $_SESSION['lostpw']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
87
88 if(stripslashes(strtolower($_SESSION['lostpw']['A5'])) == strtolower($_SESSION['lostpw']['user']['A5']))
89 $answers++;
90 $body .= "System: ".$_SESSION['lostpw']['user']['A5']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A5']))."\n";
91 }
92
93 $_SESSION['lostpw']['pw1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass1']))));
94 $_SESSION['lostpw']['pw2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass2']))));
95
96 if($answers < $_SESSION['lostpw']['total'] || $answers < 3)
97 {
98 $body = "Someone has just attempted to update the pass phrase on the following account:\n".
99 "Username(ID): ".$_SESSION['lostpw']['user']['email']."(".$_SESSION['lostpw']['user']['id'].")\n".
100 "email: ".$_SESSION['lostpw']['user']['email']."\n".
101 "IP/Hostname: ".$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:"")."\n".
102 "---------------------------------------------------------------------\n".$body.
103 "---------------------------------------------------------------------\n";
104 sendmail("support@cacert.org", "[CAcert.org] Requested Pass Phrase Change", $body,
105 $_SESSION['lostpw']['user']['email'], "", "", $_SESSION['lostpw']['user']['fname']);
106 $_SESSION['_config']['errmsg'] = _("You failed to get all answers correct or you didn't configure enough lost password questions for your account. System admins have been notified.");
107 } else if($_SESSION['lostpw']['pw1'] != $_SESSION['lostpw']['pw2'] || $_SESSION['lostpw']['pw1'] == "") {
108 $_SESSION['_config']['errmsg'] = _("New Pass Phrases specified don't match or were blank.");
109 } else if(strlen($_SESSION['lostpw']['pw1']) < 6) {
110 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted was too short. It must be at least 6 characters.");
111 } else {
112 $score = checkpw($_SESSION['lostpw']['pw1'], $_SESSION['lostpw']['user']['email'], $_SESSION['lostpw']['user']['fname'],
113 $_SESSION['lostpw']['user']['mname'], $_SESSION['lostpw']['user']['lname'], $_SESSION['lostpw']['user']['suffix']);
114 if($score < 3)
115 {
116 $_SESSION['_config']['errmsg'] = sprintf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
117 } else {
118 $query = "update `users` set `password`=sha1('".$_SESSION['lostpw']['pw1']."')
119 where `id`='".intval($_SESSION['lostpw']['user']['id'])."'";
120 mysql_query($query) || die(mysql_error());
121 showheader(_("Welcome to CAcert.org"));
122 echo _("Your Pass Phrase has been changed now. You can now login with your new password.");
123 showfooter();
124 exit;
125 }
126 }
127 }
128
129 if($oldid == 5 && $process != "")
130 {
131 $email = $_SESSION['lostpw']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
132 $_SESSION['lostpw']['day'] = intval($_REQUEST['day']);
133 $_SESSION['lostpw']['month'] = intval($_REQUEST['month']);
134 $_SESSION['lostpw']['year'] = intval($_REQUEST['year']);
135 $dob = $_SESSION['lostpw']['year']."-".$_SESSION['lostpw']['month']."-".$_SESSION['lostpw']['day'];
136 $query = "select * from `users` where `email`='$email' and `dob`='$dob'";
137 $res = mysql_query($query);
138 if(mysql_num_rows($res) <= 0)
139 {
140 $id = $oldid;
141 $oldid = 0;
142 $_SESSION['_config']['errmsg'] = _("Unable to match your details with any user accounts on file");
143 } else {
144 $id = 6;
145 $_SESSION['lostpw']['user'] = mysql_fetch_assoc($res);
146 }
147 }
148
149 if($id == 4 && $_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'])
150 {
151 $query = "select * from `emailcerts` where `serial`='$_SERVER[SSL_CLIENT_M_SERIAL]' and `revoked`=0 and disablelogin=0 and
152 UNIX_TIMESTAMP(`expire`) - UNIX_TIMESTAMP() > 0";
153 $res = mysql_query($query);
154 if(mysql_num_rows($res) > 0)
155 {
156 $row = mysql_fetch_assoc($res);
157 $_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='$row[memid]' and `deleted`=0 and `locked`=0"));
158 if($_SESSION['profile']['id'] != 0)
159 {
160 $_SESSION['profile']['loggedin'] = 1;
161 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
162 exit;
163 } else {
164 $_SESSION['profile']['loggedin'] = 0;
165 }
166 }
167 }
168
169 if($id == 4 && array_key_exists('profile',$_SESSION) && array_key_exists('loggedin',array($_SESSION['profile'])) && $_SESSION['profile']['loggedin'] == 1)
170 {
171 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
172 exit;
173 }
174
175 function getOTP64($otp)
176 {
177 $lookupChar = "123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*!-?%:";
178
179 for($i = 0; $i < 6; $i++)
180 $val[$i] = hexdec(substr($otp, $i * 2, 2));
181
182 $tmp1 = $val[0] >> 2;
183 $OTP = $lookupChar[$tmp1 & 63];
184 $tmp2 = $val[0] - ($tmp1 << 2);
185 $tmp1 = $val[1] >> 4;
186 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
187 $tmp2 = $val[1] - ($tmp1 << 4);
188 $tmp1 = $val[2] >> 6;
189 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
190 $tmp2 = $val[2] - ($tmp1 << 6);
191 $OTP .= $lookupChar[$tmp2 & 63];
192 $tmp1 = $val[3] >> 2;
193 $OTP .= $lookupChar[$tmp1 & 63];
194 $tmp2 = $val[3] - ($tmp1 << 2);
195 $tmp1 = $val[4] >> 4;
196 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
197 $tmp2 = $val[4] - ($tmp1 << 4);
198 $tmp1 = $val[5] >> 6;
199 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
200 $tmp2 = $val[5] - ($tmp1 << 6);
201 $OTP .= $lookupChar[$tmp2 & 63];
202
203 return $OTP;
204 }
205
206 function getOTP32($otp)
207 {
208 $lookupChar = "0123456789abcdefghkmnoprstuvwxyz";
209
210 for($i = 0; $i < 7; $i++)
211 $val[$i] = hexdec(substr($otp, $i * 2, 2));
212
213 $tmp1 = $val[0] >> 3;
214 $OTP = $lookupChar[$tmp1 & 31];
215 $tmp2 = $val[0] - ($tmp1 << 3);
216 $tmp1 = $val[1] >> 6;
217 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
218 $tmp2 = ($val[1] - ($tmp1 << 6)) >> 1;
219 $OTP .= $lookupChar[$tmp2 & 31];
220 $tmp2 = $val[1] - (($val[1] >> 1) << 1);
221 $tmp1 = $val[2] >> 4;
222 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
223 $tmp2 = $val[2] - ($tmp1 << 4);
224 $tmp1 = $val[3] >> 7;
225 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
226 $tmp2 = ($val[3] - ($tmp1 << 7)) >> 2;
227 $OTP .= $lookupChar[$tmp2 & 31];
228 $tmp2 = $val[3] - (($val[3] - ($tmp1 << 7)) >> 2) << 2;
229 $tmp1 = $val[4] >> 5;
230 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
231 $tmp2 = $val[4] - ($tmp1 << 5);
232 $OTP .= $lookupChar[$tmp2 & 31];
233 $tmp1 = $val[5] >> 3;
234 $OTP .= $lookupChar[$tmp1 & 31];
235 $tmp2 = $val[5] - ($tmp1 << 3);
236 $tmp1 = $val[6] >> 6;
237 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
238
239 return $OTP;
240 }
241
242 if($oldid == 4)
243 {
244 $oldid = 0;
245 $id = 4;
246
247 $_SESSION['_config']['errmsg'] = "";
248
249 $email = mysql_escape_string(stripslashes(strip_tags(trim($_REQUEST['email']))));
250 $pword = mysql_escape_string(stripslashes(trim($_REQUEST['pword'])));
251 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
252 `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
253 $res = mysql_query($query);
254 if(mysql_num_rows($res) <= 0)
255 {
256 $otpquery = "select * from `users` where `email`='$email' and `otphash`!='' and `verified`=1 and `deleted`=0 and `locked`=0";
257 $otpres = mysql_query($otpquery);
258 if(mysql_num_rows($otpres) > 0)
259 {
260 $otp = mysql_fetch_assoc($otpres);
261 $otphash = $otp['otphash'];
262 $otppin = $otp['otppin'];
263 if(strlen($pword) == 6)
264 {
265 $matchperiod = 18;
266 $time = round(gmdate("U") / 10);
267 } else {
268 $matchperiod = 3;
269 $time = round(gmdate("U") / 60);
270 }
271
272 $query = "delete from `otphashes` where UNIX_TIMESTAMP(`when`) <= UNIX_TIMESTAMP(NOW()) - 600";
273 mysql_query($query);
274
275 $query = "select * from `otphashes` where `username`='$email' and `otp`='$pword'";
276 if(mysql_num_rows(mysql_query($query)) <= 0)
277 {
278 $query = "insert into `otphashes` set `when`=NOW(), `username`='$email', `otp`='$pword'";
279 mysql_query($query);
280 for($i = $time - $matchperiod; $i <= $time + $matchperiod * 2; $i++)
281 {
282 if($otppin > 0)
283 $tmpmd5 = md5("$i$otphash$otppin");
284 else
285 $tmpmd5 = md5("$i$otphash");
286
287 if(strlen($pword) == 6)
288 $md5 = substr(md5("$i$otphash"), 0, 6);
289 else if(strlen($pword) == 8)
290 $md5 = getOTP64(md5("$i$otphash"));
291 else
292 $md5 = getOTP32(md5("$i$otphash"));
293
294 if($pword == $md5)
295 $res = mysql_query($otpquery);
296 }
297 }
298 }
299 }
300 if(mysql_num_rows($res) > 0)
301 {
302 $_SESSION['profile'] = "";
303 unset($_SESSION['profile']);
304 $_SESSION['profile'] = mysql_fetch_assoc($res);
305 $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".$_SESSION['profile']['id']."'";
306 mysql_query($query);
307
308 if($_SESSION['profile']['language'] == "")
309 {
310 $query = "update `users` set `language`='".$_SESSION['_config']['language']."'
311 where `id`='".$_SESSION['profile']['id']."'";
312 mysql_query($query);
313 } else {
314 $_SESSION['_config']['language'] = $_SESSION['profile']['language'];
315
316 putenv("LANG=".$_SESSION['_config']['language']);
317 setlocale(LC_ALL, $_SESSION['_config']['language']);
318
319 $domain = 'messages';
320 bindtextdomain("$domain", $_SESSION['_config']['filepath']."/locale");
321 textdomain("$domain");
322 }
323 $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
324 $res = mysql_query($query);
325 $row = mysql_fetch_assoc($res);
326 $_SESSION['profile']['points'] = $row['total'];
327 $_SESSION['profile']['loggedin'] = 1;
328 if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" ||
329 $_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" ||
330 $_SESSION['profile']['Q5'] == "")
331 {
332 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
333 $_SESSION['_config']['oldlocation'] = "account.php?id=13";
334 }
335 if (checkpwlight($pword) < 3)
336 $_SESSION['_config']['oldlocation'] = "account.php?id=14&force=1";
337 if($_SESSION['_config']['oldlocation'] != "")
338 header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
339 else
340 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
341 exit;
342 }
343
344 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
345 `password`=password('$pword')) and `verified`=0 and `deleted`=0";
346 $res = mysql_query($query);
347 if(mysql_num_rows($res) <= 0)
348 {
349 $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
350 } else {
351 $_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");
352 }
353 }
354
355 if($process && $oldid == 1)
356 {
357 $id = 2;
358 $oldid = 0;
359
360 $_SESSION['_config']['errmsg'] = "";
361
362 $_SESSION['signup']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
363 $_SESSION['signup']['fname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['fname']))));
364 $_SESSION['signup']['mname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['mname']))));
365 $_SESSION['signup']['lname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['lname']))));
366 $_SESSION['signup']['suffix'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['suffix']))));
367 $_SESSION['signup']['day'] = intval($_REQUEST['day']);
368 $_SESSION['signup']['month'] = intval($_REQUEST['month']);
369 $_SESSION['signup']['year'] = intval($_REQUEST['year']);
370 $_SESSION['signup']['pword1'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword1'])));
371 $_SESSION['signup']['pword2'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword2'])));
372 $_SESSION['signup']['Q1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q1']))));
373 $_SESSION['signup']['Q2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q2']))));
374 $_SESSION['signup']['Q3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q3']))));
375 $_SESSION['signup']['Q4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q4']))));
376 $_SESSION['signup']['Q5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q5']))));
377 $_SESSION['signup']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
378 $_SESSION['signup']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
379 $_SESSION['signup']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
380 $_SESSION['signup']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
381 $_SESSION['signup']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
382 $_SESSION['signup']['general'] = intval(array_key_exists('general',$_REQUEST)?$_REQUEST['general']:0);
383 $_SESSION['signup']['country'] = intval(array_key_exists('country',$_REQUEST)?$_REQUEST['country']:0);
384 $_SESSION['signup']['regional'] = intval(array_key_exists('regional',$_REQUEST)?$_REQUEST['regional']:0);
385 $_SESSION['signup']['radius'] = intval(array_key_exists('radius',$_REQUEST)?$_REQUEST['radius']:0);
386 $_SESSION['signup']['cca_agree'] = intval(array_key_exists('cca_agree',$_REQUEST)?$_REQUEST['cca_agree']:0);
387
388
389 if($_SESSION['signup']['Q1'] == $_SESSION['signup']['Q2'] ||
390 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q3'] ||
391 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q4'] ||
392 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q5'] ||
393 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q3'] ||
394 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q4'] ||
395 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q5'] ||
396 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q4'] ||
397 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q5'] ||
398 $_SESSION['signup']['Q4'] == $_SESSION['signup']['Q5'] ||
399 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q1'] ||
400 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q2'] ||
401 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q3'] ||
402 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q4'] ||
403 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q5'] ||
404 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q3'] ||
405 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q4'] ||
406 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q5'] ||
407 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q4'] ||
408 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q5'] ||
409 $_SESSION['signup']['A4'] == $_SESSION['signup']['Q5'] ||
410 $_SESSION['signup']['A1'] == $_SESSION['signup']['A2'] ||
411 $_SESSION['signup']['A1'] == $_SESSION['signup']['A3'] ||
412 $_SESSION['signup']['A1'] == $_SESSION['signup']['A4'] ||
413 $_SESSION['signup']['A1'] == $_SESSION['signup']['A5'] ||
414 $_SESSION['signup']['A2'] == $_SESSION['signup']['A3'] ||
415 $_SESSION['signup']['A2'] == $_SESSION['signup']['A4'] ||
416 $_SESSION['signup']['A2'] == $_SESSION['signup']['A5'] ||
417 $_SESSION['signup']['A3'] == $_SESSION['signup']['A4'] ||
418 $_SESSION['signup']['A3'] == $_SESSION['signup']['A5'] ||
419 $_SESSION['signup']['A4'] == $_SESSION['signup']['A5'])
420 {
421 $id = 1;
422 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
423 }
424
425 if($_SESSION['signup']['Q1'] == "" || $_SESSION['signup']['Q2'] == "" ||
426 $_SESSION['signup']['Q3'] == "" || $_SESSION['signup']['Q4'] == "" ||
427 $_SESSION['signup']['Q5'] == "")
428 {
429 $id = 1;
430 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>\n";
431 }
432 if($_SESSION['signup']['fname'] == "" || $_SESSION['signup']['lname'] == "")
433 {
434 $id = 1;
435 $_SESSION['_config']['errmsg'] .= _("First and/or last names were blank.")."<br>\n";
436 }
437 if($_SESSION['signup']['year'] < 1900 || $_SESSION['signup']['month'] < 1 || $_SESSION['signup']['month'] > 12 ||
438 $_SESSION['signup']['day'] < 1 || $_SESSION['signup']['day'] > 31 ||
439 !checkdate($_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) ||
440 mktime(0,0,0,$_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) > time() )
441 {
442 $id = 1;
443 $_SESSION['_config']['errmsg'] .= _("Invalid date of birth")."<br>\n";
444 }
445 if($_SESSION['signup']['cca_agree'] == "0")
446 {
447 $id = 1;
448 $_SESSION['_config']['errmsg'] .= _("You have to agree to the CAcert Community agreement.")."<br>\n";
449 }
450 if($_SESSION['signup']['email'] == "")
451 {
452 $id = 1;
453 $_SESSION['_config']['errmsg'] .= _("Email Address was blank")."<br>\n";
454 }
455 if($_SESSION['signup']['pword1'] == "")
456 {
457 $id = 1;
458 $_SESSION['_config']['errmsg'] .= _("Pass Phrases were blank")."<br>\n";
459 }
460 if($_SESSION['signup']['pword1'] != $_SESSION['signup']['pword2'])
461 {
462 $id = 1;
463 $_SESSION['_config']['errmsg'] .= _("Pass Phrases don't match")."<br>\n";
464 }
465
466 $score = checkpw($_SESSION['signup']['pword1'], $_SESSION['signup']['email'], $_SESSION['signup']['fname'], $_SESSION['signup']['mname'], $_SESSION['signup']['lname'], $_SESSION['signup']['suffix']);
467 if($score < 3)
468 {
469 $id = 1;
470 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored $score points out of 6.");
471 }
472
473 if($id == 2)
474 {
475 $query = "select * from `email` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
476 $res1 = mysql_query($query);
477
478 $query = "select * from `users` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
479 $res2 = mysql_query($query);
480 if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0)
481 {
482 $id = 1;
483 $_SESSION['_config']['errmsg'] .= _("This email address is currently valid in the system.")."<br>\n";
484 }
485
486 $query = "select `domain` from `baddomains` where `domain`=RIGHT('".$_SESSION['signup']['email']."', LENGTH(`domain`))";
487 $res = mysql_query($query);
488 if(mysql_num_rows($res) > 0)
489 {
490 $domain = mysql_fetch_assoc($res);
491 $domain = $domain['domain'];
492 $id = 1;
493 $_SESSION['_config']['errmsg'] .= sprintf(_("We don't allow signups from people using email addresses from %s"), $domain)."<br>\n";
494 }
495 }
496
497 if($id == 2)
498 {
499 $checkemail = checkEmail($_SESSION['signup']['email']);
500 if($checkemail != "OK")
501 {
502 $id = 1;
503 if (substr($checkemail, 0, 1) == "4")
504 {
505 $_SESSION['_config']['errmsg'] .= _("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.");
506 } else {
507 $_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid");
508 }
509 $_SESSION['_config']['errmsg'] .= "<br>\n$checkemail<br>\n";
510 }
511 }
512
513 if($id == 2)
514 {
515 $hash = make_hash();
516
517 $query = "insert into `users` set `email`='".$_SESSION['signup']['email']."',
518 `password`=sha1('".$_SESSION['signup']['pword1']."'),
519 `fname`='".$_SESSION['signup']['fname']."',
520 `mname`='".$_SESSION['signup']['mname']."',
521 `lname`='".$_SESSION['signup']['lname']."',
522 `suffix`='".$_SESSION['signup']['suffix']."',
523 `dob`='".$_SESSION['signup']['year']."-".$_SESSION['signup']['month']."-".$_SESSION['signup']['day']."',
524 `Q1`='".$_SESSION['signup']['Q1']."',
525 `Q2`='".$_SESSION['signup']['Q2']."',
526 `Q3`='".$_SESSION['signup']['Q3']."',
527 `Q4`='".$_SESSION['signup']['Q4']."',
528 `Q5`='".$_SESSION['signup']['Q5']."',
529 `A1`='".$_SESSION['signup']['A1']."',
530 `A2`='".$_SESSION['signup']['A2']."',
531 `A3`='".$_SESSION['signup']['A3']."',
532 `A4`='".$_SESSION['signup']['A4']."',
533 `A5`='".$_SESSION['signup']['A5']."',
534 `created`=NOW(), `uniqueID`=SHA1(CONCAT(NOW(),'$hash'))";
535 mysql_query($query);
536 $memid = mysql_insert_id();
537 $query = "insert into `email` set `email`='".$_SESSION['signup']['email']."',
538 `hash`='$hash',
539 `created`=NOW(),
540 `memid`='$memid'";
541 mysql_query($query);
542 $emailid = mysql_insert_id();
543 $query = "insert into `alerts` set `memid`='$memid',
544 `general`='".$_SESSION['signup']['general']."',
545 `country`='".$_SESSION['signup']['country']."',
546 `regional`='".$_SESSION['signup']['regional']."',
547 `radius`='".$_SESSION['signup']['radius']."'";
548 mysql_query($query);
549
550 $body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
551 $body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n"; //."&"."lang=".$_SESSION['_config']['language']."\n\n";
552 $body .= _("Best regards")."\n"._("CAcert.org Support!");
553
554 sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
555 foreach($_SESSION['signup'] as $key => $val)
556 $_SESSION['signup'][$key] = "";
557 unset($_SESSION['signup']);
558 }
559 }
560
561 if($oldid == 11 && $process != "")
562 {
563 $who = stripslashes($_REQUEST['who']);
564 $email = stripslashes($_REQUEST['email']);
565 $subject = stripslashes($_REQUEST['subject']);
566 $message = stripslashes($_REQUEST['message']);
567 $secrethash = $_REQUEST['secrethash2'];
568
569 if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "")
570 {
571 $id = $oldid;
572 $process = "";
573 $_SESSION['_config']['errmsg'] = _("This seems like you have cookies or Javascript disabled, cannot continue.");
574 $oldid = 0;
575
576 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
577 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
578 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
579 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
580 echo _("This seems like you have cookies or Javascript disabled, cannot continue.");
581 die;
582 }
583 if(strstr($subject, "botmetka") || strstr($subject, "servermetka") || strstr($who,"\n") || strstr($email,"\n") || strstr($subject,"\n") )
584 {
585 $id = $oldid;
586 $process = "";
587 $_SESSION['_config']['errmsg'] = _("This seems like potential spam, cannot continue.");
588 $oldid = 0;
589
590 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
591 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
592 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
593 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
594 echo _("This seems like potential spam, cannot continue.");
595 die;
596 }
597
598
599 if(trim($who) == "" || trim($email) == "" || trim($subject) == "" || trim($message) == "")
600 {
601 $id = $oldid;
602 $process = "";
603 $_SESSION['_config']['errmsg'] = _("All fields are mandatory.")."<br>\n";
604 $oldid = 0;
605 }
606 }
607
608 if($oldid == 11 && $process != "" && $_REQUEST['support'] != "yes")
609 {
610 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
611
612 sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
613 showheader(_("Welcome to CAcert.org"));
614 echo _("Your message has been sent.");
615 showfooter();
616 exit;
617 }
618
619 if($oldid == 11 && $process != "" && $_REQUEST['support'] == "yes")
620 {
621 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
622
623 sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
624 showheader(_("Welcome to CAcert.org"));
625 echo _("Your message has been sent to the general support list.");
626 showfooter();
627 exit;
628 }
629
630 if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)
631 $_SESSION['signup']['year'] = "19XX";
632
633 if ($id == 19)
634 {
635 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
636 $newUrl = $protocol . '://wiki.cacert.org/FAQ/Privileges';
637 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
638 }
639
640 showheader(_("Welcome to CAcert.org"));
641 includeit($id);
642 showfooter();
643 ?>