Source code taken from cacert-20110910.tar.bz2
[cacert.git] / www / index.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */ ?>
18 <?
19
20 $id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
21 $oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
22 $process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
23
24 if($id == 2)
25 $id = 0;
26
27 $_SESSION['_config']['errmsg'] = "";
28
29 if($id == 17 || $id == 20)
30 {
31 include_once("../pages/index/$id.php");
32 exit;
33 }
34
35 loadem("index");
36
37 $_SESSION['_config']['hostname'] = $_SERVER['HTTP_HOST'];
38
39 if(($oldid == 6 || $id == 6) && intval($_SESSION['lostpw']['user']['id']) < 1)
40 {
41 $oldid = 0;
42 $id = 5;
43 }
44
45 if($oldid == 6 && $process != "")
46 {
47 $body = "";
48 $answers = 0;
49 $qs = array();
50 $id = $oldid;
51 $oldid = 0;
52 if(array_key_exists('Q1',$_REQUEST) && $_REQUEST['Q1'])
53 {
54 $_SESSION['lostpw']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
55
56 if(stripslashes(strtolower($_SESSION['lostpw']['A1'])) == strtolower($_SESSION['lostpw']['user']['A1']))
57 $answers++;
58 $body .= "System: ".$_SESSION['lostpw']['user']['A1']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A1']))."\n";
59 }
60 if(array_key_exists('Q2',$_REQUEST) && $_REQUEST['Q2'])
61 {
62 $_SESSION['lostpw']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
63
64 if(stripslashes(strtolower($_SESSION['lostpw']['A2'])) == strtolower($_SESSION['lostpw']['user']['A2']))
65 $answers++;
66 $body .= "System: ".$_SESSION['lostpw']['user']['A2']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A2']))."\n";
67 }
68 if(array_key_exists('Q3',$_REQUEST) && $_REQUEST['Q3'])
69 {
70 $_SESSION['lostpw']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
71
72 if(stripslashes(strtolower($_SESSION['lostpw']['A3'])) == strtolower($_SESSION['lostpw']['user']['A3']))
73 $answers++;
74 $body .= "System: ".$_SESSION['lostpw']['user']['A3']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A3']))."\n";
75 }
76 if(array_key_exists('Q4',$_REQUEST) && $_REQUEST['Q4'])
77 {
78 $_SESSION['lostpw']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
79
80 if(stripslashes(strtolower($_SESSION['lostpw']['A4'])) == strtolower($_SESSION['lostpw']['user']['A4']))
81 $answers++;
82 $body .= "System: ".$_SESSION['lostpw']['user']['A4']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A4']))."\n";
83 }
84 if(array_key_exists('Q5',$_REQUEST) && $_REQUEST['Q5'])
85 {
86 $_SESSION['lostpw']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
87
88 if(stripslashes(strtolower($_SESSION['lostpw']['A5'])) == strtolower($_SESSION['lostpw']['user']['A5']))
89 $answers++;
90 $body .= "System: ".$_SESSION['lostpw']['user']['A5']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A5']))."\n";
91 }
92
93 $_SESSION['lostpw']['pw1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass1']))));
94 $_SESSION['lostpw']['pw2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass2']))));
95
96 if($answers < $_SESSION['lostpw']['total'] || $answers < 3)
97 {
98 $body = "Someone has just attempted to update the pass phrase on the following account:\n".
99 "Username(ID): ".$_SESSION['lostpw']['user']['email']."(".$_SESSION['lostpw']['user']['id'].")\n".
100 "email: ".$_SESSION['lostpw']['user']['email']."\n".
101 "IP/Hostname: ".$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:"")."\n".
102 "---------------------------------------------------------------------\n".$body.
103 "---------------------------------------------------------------------\n";
104 sendmail("support@cacert.org", "[CAcert.org] Requested Pass Phrase Change", $body,
105 $_SESSION['lostpw']['user']['email'], "", "", $_SESSION['lostpw']['user']['fname']);
106 $_SESSION['_config']['errmsg'] = _("You failed to get all answers correct or you didn't configure enough lost password questions for your account. System admins have been notified.");
107 } else if($_SESSION['lostpw']['pw1'] != $_SESSION['lostpw']['pw2'] || $_SESSION['lostpw']['pw1'] == "") {
108 $_SESSION['_config']['errmsg'] = _("New Pass Phrases specified don't match or were blank.");
109 } else if(strlen($_SESSION['lostpw']['pw1']) < 6) {
110 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted was too short. It must be at least 6 characters.");
111 } else {
112 $score = checkpw($_SESSION['lostpw']['pw1'], $_SESSION['lostpw']['user']['email'], $_SESSION['lostpw']['user']['fname'],
113 $_SESSION['lostpw']['user']['mname'], $_SESSION['lostpw']['user']['lname'], $_SESSION['lostpw']['user']['suffix']);
114 if($score < 3)
115 {
116 $_SESSION['_config']['errmsg'] = sprintf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
117 } else {
118 $query = "update `users` set `password`=sha1('".$_SESSION['lostpw']['pw1']."')
119 where `id`='".intval($_SESSION['lostpw']['user']['id'])."'";
120 mysql_query($query) || die(mysql_error());
121 showheader(_("Welcome to CAcert.org"));
122 echo _("Your Pass Phrase has been changed now. You can now login with your new password.");
123 showfooter();
124 exit;
125 }
126 }
127 }
128
129 if($oldid == 5 && $process != "")
130 {
131 $email = $_SESSION['lostpw']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
132 $_SESSION['lostpw']['day'] = intval($_REQUEST['day']);
133 $_SESSION['lostpw']['month'] = intval($_REQUEST['month']);
134 $_SESSION['lostpw']['year'] = intval($_REQUEST['year']);
135 $dob = $_SESSION['lostpw']['year']."-".$_SESSION['lostpw']['month']."-".$_SESSION['lostpw']['day'];
136 $query = "select * from `users` where `email`='$email' and `dob`='$dob'";
137 $res = mysql_query($query);
138 if(mysql_num_rows($res) <= 0)
139 {
140 $id = $oldid;
141 $oldid = 0;
142 $_SESSION['_config']['errmsg'] = _("Unable to match your details with any user accounts on file");
143 } else {
144 $id = 6;
145 $_SESSION['lostpw']['user'] = mysql_fetch_assoc($res);
146 }
147 }
148
149 if($id == 4 && $_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'])
150 {
151 include_once("../includes/lib/general.php");
152 $user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'],
153 $_SERVER['SSL_CLIENT_I_DN_CN']);
154
155 if($user_id >= 0)
156 {
157 $_SESSION['profile'] = mysql_fetch_assoc(mysql_query(
158 "select * from `users` where
159 `id`='$user_id' and `deleted`=0 and `locked`=0"));
160
161 if($_SESSION['profile']['id'] != 0)
162 {
163 $_SESSION['profile']['loggedin'] = 1;
164 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
165 exit;
166 } else {
167 $_SESSION['profile']['loggedin'] = 0;
168 }
169 }
170 }
171
172 if($id == 4 && array_key_exists('profile',$_SESSION) && array_key_exists('loggedin',array($_SESSION['profile'])) && $_SESSION['profile']['loggedin'] == 1)
173 {
174 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
175 exit;
176 }
177
178 function getOTP64($otp)
179 {
180 $lookupChar = "123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*!-?%:";
181
182 for($i = 0; $i < 6; $i++)
183 $val[$i] = hexdec(substr($otp, $i * 2, 2));
184
185 $tmp1 = $val[0] >> 2;
186 $OTP = $lookupChar[$tmp1 & 63];
187 $tmp2 = $val[0] - ($tmp1 << 2);
188 $tmp1 = $val[1] >> 4;
189 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
190 $tmp2 = $val[1] - ($tmp1 << 4);
191 $tmp1 = $val[2] >> 6;
192 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
193 $tmp2 = $val[2] - ($tmp1 << 6);
194 $OTP .= $lookupChar[$tmp2 & 63];
195 $tmp1 = $val[3] >> 2;
196 $OTP .= $lookupChar[$tmp1 & 63];
197 $tmp2 = $val[3] - ($tmp1 << 2);
198 $tmp1 = $val[4] >> 4;
199 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
200 $tmp2 = $val[4] - ($tmp1 << 4);
201 $tmp1 = $val[5] >> 6;
202 $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
203 $tmp2 = $val[5] - ($tmp1 << 6);
204 $OTP .= $lookupChar[$tmp2 & 63];
205
206 return $OTP;
207 }
208
209 function getOTP32($otp)
210 {
211 $lookupChar = "0123456789abcdefghkmnoprstuvwxyz";
212
213 for($i = 0; $i < 7; $i++)
214 $val[$i] = hexdec(substr($otp, $i * 2, 2));
215
216 $tmp1 = $val[0] >> 3;
217 $OTP = $lookupChar[$tmp1 & 31];
218 $tmp2 = $val[0] - ($tmp1 << 3);
219 $tmp1 = $val[1] >> 6;
220 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
221 $tmp2 = ($val[1] - ($tmp1 << 6)) >> 1;
222 $OTP .= $lookupChar[$tmp2 & 31];
223 $tmp2 = $val[1] - (($val[1] >> 1) << 1);
224 $tmp1 = $val[2] >> 4;
225 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
226 $tmp2 = $val[2] - ($tmp1 << 4);
227 $tmp1 = $val[3] >> 7;
228 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
229 $tmp2 = ($val[3] - ($tmp1 << 7)) >> 2;
230 $OTP .= $lookupChar[$tmp2 & 31];
231 $tmp2 = $val[3] - (($val[3] - ($tmp1 << 7)) >> 2) << 2;
232 $tmp1 = $val[4] >> 5;
233 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
234 $tmp2 = $val[4] - ($tmp1 << 5);
235 $OTP .= $lookupChar[$tmp2 & 31];
236 $tmp1 = $val[5] >> 3;
237 $OTP .= $lookupChar[$tmp1 & 31];
238 $tmp2 = $val[5] - ($tmp1 << 3);
239 $tmp1 = $val[6] >> 6;
240 $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
241
242 return $OTP;
243 }
244
245 if($oldid == 4)
246 {
247 $oldid = 0;
248 $id = 4;
249
250 $_SESSION['_config']['errmsg'] = "";
251
252 $email = mysql_escape_string(stripslashes(strip_tags(trim($_REQUEST['email']))));
253 $pword = mysql_escape_string(stripslashes(trim($_REQUEST['pword'])));
254 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
255 `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
256 $res = mysql_query($query);
257 if(mysql_num_rows($res) <= 0)
258 {
259 $otpquery = "select * from `users` where `email`='$email' and `otphash`!='' and `verified`=1 and `deleted`=0 and `locked`=0";
260 $otpres = mysql_query($otpquery);
261 if(mysql_num_rows($otpres) > 0)
262 {
263 $otp = mysql_fetch_assoc($otpres);
264 $otphash = $otp['otphash'];
265 $otppin = $otp['otppin'];
266 if(strlen($pword) == 6)
267 {
268 $matchperiod = 18;
269 $time = round(gmdate("U") / 10);
270 } else {
271 $matchperiod = 3;
272 $time = round(gmdate("U") / 60);
273 }
274
275 $query = "delete from `otphashes` where UNIX_TIMESTAMP(`when`) <= UNIX_TIMESTAMP(NOW()) - 600";
276 mysql_query($query);
277
278 $query = "select * from `otphashes` where `username`='$email' and `otp`='$pword'";
279 if(mysql_num_rows(mysql_query($query)) <= 0)
280 {
281 $query = "insert into `otphashes` set `when`=NOW(), `username`='$email', `otp`='$pword'";
282 mysql_query($query);
283 for($i = $time - $matchperiod; $i <= $time + $matchperiod * 2; $i++)
284 {
285 if($otppin > 0)
286 $tmpmd5 = md5("$i$otphash$otppin");
287 else
288 $tmpmd5 = md5("$i$otphash");
289
290 if(strlen($pword) == 6)
291 $md5 = substr(md5("$i$otphash"), 0, 6);
292 else if(strlen($pword) == 8)
293 $md5 = getOTP64(md5("$i$otphash"));
294 else
295 $md5 = getOTP32(md5("$i$otphash"));
296
297 if($pword == $md5)
298 $res = mysql_query($otpquery);
299 }
300 }
301 }
302 }
303 if(mysql_num_rows($res) > 0)
304 {
305 $_SESSION['profile'] = "";
306 unset($_SESSION['profile']);
307 $_SESSION['profile'] = mysql_fetch_assoc($res);
308 $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".$_SESSION['profile']['id']."'";
309 mysql_query($query);
310
311 if($_SESSION['profile']['language'] == "")
312 {
313 $query = "update `users` set `language`='".$_SESSION['_config']['language']."'
314 where `id`='".$_SESSION['profile']['id']."'";
315 mysql_query($query);
316 } else {
317 $_SESSION['_config']['language'] = $_SESSION['profile']['language'];
318
319 putenv("LANG=".$_SESSION['_config']['language']);
320 setlocale(LC_ALL, $_SESSION['_config']['language']);
321
322 $domain = 'messages';
323 bindtextdomain("$domain", $_SESSION['_config']['filepath']."/locale");
324 textdomain("$domain");
325 }
326 $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
327 $res = mysql_query($query);
328 $row = mysql_fetch_assoc($res);
329 $_SESSION['profile']['points'] = $row['total'];
330 $_SESSION['profile']['loggedin'] = 1;
331 if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" ||
332 $_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" ||
333 $_SESSION['profile']['Q5'] == "")
334 {
335 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
336 $_SESSION['_config']['oldlocation'] = "account.php?id=13";
337 }
338 if (checkpwlight($pword) < 3)
339 $_SESSION['_config']['oldlocation'] = "account.php?id=14&force=1";
340 if($_SESSION['_config']['oldlocation'] != "")
341 header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
342 else
343 header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
344 exit;
345 }
346
347 $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
348 `password`=password('$pword')) and `verified`=0 and `deleted`=0";
349 $res = mysql_query($query);
350 if(mysql_num_rows($res) <= 0)
351 {
352 $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
353 } else {
354 $_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");
355 }
356 }
357
358 if($process && $oldid == 1)
359 {
360 $id = 2;
361 $oldid = 0;
362
363 $_SESSION['_config']['errmsg'] = "";
364
365 $_SESSION['signup']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
366 $_SESSION['signup']['fname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['fname']))));
367 $_SESSION['signup']['mname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['mname']))));
368 $_SESSION['signup']['lname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['lname']))));
369 $_SESSION['signup']['suffix'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['suffix']))));
370 $_SESSION['signup']['day'] = intval($_REQUEST['day']);
371 $_SESSION['signup']['month'] = intval($_REQUEST['month']);
372 $_SESSION['signup']['year'] = intval($_REQUEST['year']);
373 $_SESSION['signup']['pword1'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword1'])));
374 $_SESSION['signup']['pword2'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword2'])));
375 $_SESSION['signup']['Q1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q1']))));
376 $_SESSION['signup']['Q2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q2']))));
377 $_SESSION['signup']['Q3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q3']))));
378 $_SESSION['signup']['Q4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q4']))));
379 $_SESSION['signup']['Q5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q5']))));
380 $_SESSION['signup']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
381 $_SESSION['signup']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
382 $_SESSION['signup']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
383 $_SESSION['signup']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
384 $_SESSION['signup']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
385 $_SESSION['signup']['general'] = intval(array_key_exists('general',$_REQUEST)?$_REQUEST['general']:0);
386 $_SESSION['signup']['country'] = intval(array_key_exists('country',$_REQUEST)?$_REQUEST['country']:0);
387 $_SESSION['signup']['regional'] = intval(array_key_exists('regional',$_REQUEST)?$_REQUEST['regional']:0);
388 $_SESSION['signup']['radius'] = intval(array_key_exists('radius',$_REQUEST)?$_REQUEST['radius']:0);
389 $_SESSION['signup']['cca_agree'] = intval(array_key_exists('cca_agree',$_REQUEST)?$_REQUEST['cca_agree']:0);
390
391
392 if($_SESSION['signup']['Q1'] == $_SESSION['signup']['Q2'] ||
393 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q3'] ||
394 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q4'] ||
395 $_SESSION['signup']['Q1'] == $_SESSION['signup']['Q5'] ||
396 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q3'] ||
397 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q4'] ||
398 $_SESSION['signup']['Q2'] == $_SESSION['signup']['Q5'] ||
399 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q4'] ||
400 $_SESSION['signup']['Q3'] == $_SESSION['signup']['Q5'] ||
401 $_SESSION['signup']['Q4'] == $_SESSION['signup']['Q5'] ||
402 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q1'] ||
403 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q2'] ||
404 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q3'] ||
405 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q4'] ||
406 $_SESSION['signup']['A1'] == $_SESSION['signup']['Q5'] ||
407 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q3'] ||
408 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q4'] ||
409 $_SESSION['signup']['A2'] == $_SESSION['signup']['Q5'] ||
410 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q4'] ||
411 $_SESSION['signup']['A3'] == $_SESSION['signup']['Q5'] ||
412 $_SESSION['signup']['A4'] == $_SESSION['signup']['Q5'] ||
413 $_SESSION['signup']['A1'] == $_SESSION['signup']['A2'] ||
414 $_SESSION['signup']['A1'] == $_SESSION['signup']['A3'] ||
415 $_SESSION['signup']['A1'] == $_SESSION['signup']['A4'] ||
416 $_SESSION['signup']['A1'] == $_SESSION['signup']['A5'] ||
417 $_SESSION['signup']['A2'] == $_SESSION['signup']['A3'] ||
418 $_SESSION['signup']['A2'] == $_SESSION['signup']['A4'] ||
419 $_SESSION['signup']['A2'] == $_SESSION['signup']['A5'] ||
420 $_SESSION['signup']['A3'] == $_SESSION['signup']['A4'] ||
421 $_SESSION['signup']['A3'] == $_SESSION['signup']['A5'] ||
422 $_SESSION['signup']['A4'] == $_SESSION['signup']['A5'])
423 {
424 $id = 1;
425 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
426 }
427
428 if($_SESSION['signup']['Q1'] == "" || $_SESSION['signup']['Q2'] == "" ||
429 $_SESSION['signup']['Q3'] == "" || $_SESSION['signup']['Q4'] == "" ||
430 $_SESSION['signup']['Q5'] == "")
431 {
432 $id = 1;
433 $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>\n";
434 }
435 if($_SESSION['signup']['fname'] == "" || $_SESSION['signup']['lname'] == "")
436 {
437 $id = 1;
438 $_SESSION['_config']['errmsg'] .= _("First and/or last names were blank.")."<br>\n";
439 }
440 if($_SESSION['signup']['year'] < 1900 || $_SESSION['signup']['month'] < 1 || $_SESSION['signup']['month'] > 12 ||
441 $_SESSION['signup']['day'] < 1 || $_SESSION['signup']['day'] > 31 ||
442 !checkdate($_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) ||
443 mktime(0,0,0,$_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) > time() )
444 {
445 $id = 1;
446 $_SESSION['_config']['errmsg'] .= _("Invalid date of birth")."<br>\n";
447 }
448 if($_SESSION['signup']['cca_agree'] == "0")
449 {
450 $id = 1;
451 $_SESSION['_config']['errmsg'] .= _("You have to agree to the CAcert Community agreement.")."<br>\n";
452 }
453 if($_SESSION['signup']['email'] == "")
454 {
455 $id = 1;
456 $_SESSION['_config']['errmsg'] .= _("Email Address was blank")."<br>\n";
457 }
458 if($_SESSION['signup']['pword1'] == "")
459 {
460 $id = 1;
461 $_SESSION['_config']['errmsg'] .= _("Pass Phrases were blank")."<br>\n";
462 }
463 if($_SESSION['signup']['pword1'] != $_SESSION['signup']['pword2'])
464 {
465 $id = 1;
466 $_SESSION['_config']['errmsg'] .= _("Pass Phrases don't match")."<br>\n";
467 }
468
469 $score = checkpw($_SESSION['signup']['pword1'], $_SESSION['signup']['email'], $_SESSION['signup']['fname'], $_SESSION['signup']['mname'], $_SESSION['signup']['lname'], $_SESSION['signup']['suffix']);
470 if($score < 3)
471 {
472 $id = 1;
473 $_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored $score points out of 6.");
474 }
475
476 if($id == 2)
477 {
478 $query = "select * from `email` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
479 $res1 = mysql_query($query);
480
481 $query = "select * from `users` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
482 $res2 = mysql_query($query);
483 if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0)
484 {
485 $id = 1;
486 $_SESSION['_config']['errmsg'] .= _("This email address is currently valid in the system.")."<br>\n";
487 }
488
489 $query = "select `domain` from `baddomains` where `domain`=RIGHT('".$_SESSION['signup']['email']."', LENGTH(`domain`))";
490 $res = mysql_query($query);
491 if(mysql_num_rows($res) > 0)
492 {
493 $domain = mysql_fetch_assoc($res);
494 $domain = $domain['domain'];
495 $id = 1;
496 $_SESSION['_config']['errmsg'] .= sprintf(_("We don't allow signups from people using email addresses from %s"), $domain)."<br>\n";
497 }
498 }
499
500 if($id == 2)
501 {
502 $checkemail = checkEmail($_SESSION['signup']['email']);
503 if($checkemail != "OK")
504 {
505 $id = 1;
506 if (substr($checkemail, 0, 1) == "4")
507 {
508 $_SESSION['_config']['errmsg'] .= _("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.");
509 } else {
510 $_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid");
511 }
512 $_SESSION['_config']['errmsg'] .= "<br>\n$checkemail<br>\n";
513 }
514 }
515
516 if($id == 2)
517 {
518 $hash = make_hash();
519
520 $query = "insert into `users` set `email`='".$_SESSION['signup']['email']."',
521 `password`=sha1('".$_SESSION['signup']['pword1']."'),
522 `fname`='".$_SESSION['signup']['fname']."',
523 `mname`='".$_SESSION['signup']['mname']."',
524 `lname`='".$_SESSION['signup']['lname']."',
525 `suffix`='".$_SESSION['signup']['suffix']."',
526 `dob`='".$_SESSION['signup']['year']."-".$_SESSION['signup']['month']."-".$_SESSION['signup']['day']."',
527 `Q1`='".$_SESSION['signup']['Q1']."',
528 `Q2`='".$_SESSION['signup']['Q2']."',
529 `Q3`='".$_SESSION['signup']['Q3']."',
530 `Q4`='".$_SESSION['signup']['Q4']."',
531 `Q5`='".$_SESSION['signup']['Q5']."',
532 `A1`='".$_SESSION['signup']['A1']."',
533 `A2`='".$_SESSION['signup']['A2']."',
534 `A3`='".$_SESSION['signup']['A3']."',
535 `A4`='".$_SESSION['signup']['A4']."',
536 `A5`='".$_SESSION['signup']['A5']."',
537 `created`=NOW(), `uniqueID`=SHA1(CONCAT(NOW(),'$hash'))";
538 mysql_query($query);
539 $memid = mysql_insert_id();
540 $query = "insert into `email` set `email`='".$_SESSION['signup']['email']."',
541 `hash`='$hash',
542 `created`=NOW(),
543 `memid`='$memid'";
544 mysql_query($query);
545 $emailid = mysql_insert_id();
546 $query = "insert into `alerts` set `memid`='$memid',
547 `general`='".$_SESSION['signup']['general']."',
548 `country`='".$_SESSION['signup']['country']."',
549 `regional`='".$_SESSION['signup']['regional']."',
550 `radius`='".$_SESSION['signup']['radius']."'";
551 mysql_query($query);
552
553 $body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
554 $body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n"; //."&"."lang=".$_SESSION['_config']['language']."\n\n";
555 $body .= _("Best regards")."\n"._("CAcert.org Support!");
556
557 sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
558 foreach($_SESSION['signup'] as $key => $val)
559 $_SESSION['signup'][$key] = "";
560 unset($_SESSION['signup']);
561 }
562 }
563
564 if($oldid == 11 && $process != "")
565 {
566 $who = stripslashes($_REQUEST['who']);
567 $email = stripslashes($_REQUEST['email']);
568 $subject = stripslashes($_REQUEST['subject']);
569 $message = stripslashes($_REQUEST['message']);
570 $secrethash = $_REQUEST['secrethash2'];
571
572 if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "")
573 {
574 $id = $oldid;
575 $process = "";
576 $_SESSION['_config']['errmsg'] = _("This seems like you have cookies or Javascript disabled, cannot continue.");
577 $oldid = 0;
578
579 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
580 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
581 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
582 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
583 echo _("This seems like you have cookies or Javascript disabled, cannot continue.");
584 die;
585 }
586 if(strstr($subject, "botmetka") || strstr($subject, "servermetka") || strstr($who,"\n") || strstr($email,"\n") || strstr($subject,"\n") )
587 {
588 $id = $oldid;
589 $process = "";
590 $_SESSION['_config']['errmsg'] = _("This seems like potential spam, cannot continue.");
591 $oldid = 0;
592
593 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
594 sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
595 //echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
596 //if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
597 echo _("This seems like potential spam, cannot continue.");
598 die;
599 }
600
601
602 if(trim($who) == "" || trim($email) == "" || trim($subject) == "" || trim($message) == "")
603 {
604 $id = $oldid;
605 $process = "";
606 $_SESSION['_config']['errmsg'] = _("All fields are mandatory.")."<br>\n";
607 $oldid = 0;
608 }
609 }
610
611 if($oldid == 11 && $process != "" && $_REQUEST['support'] != "yes")
612 {
613 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
614
615 sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
616 showheader(_("Welcome to CAcert.org"));
617 echo _("Your message has been sent.");
618 showfooter();
619 exit;
620 }
621
622 if($oldid == 11 && $process != "" && $_REQUEST['support'] == "yes")
623 {
624 $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
625
626 sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
627 showheader(_("Welcome to CAcert.org"));
628 echo _("Your message has been sent to the general support list.");
629 showfooter();
630 exit;
631 }
632
633 if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)
634 $_SESSION['signup']['year'] = "19XX";
635
636 if ($id == 19)
637 {
638 $protocol = $_SERVER['HTTPS'] ? 'https' : 'http';
639 $newUrl = $protocol . '://wiki.cacert.org/FAQ/Privileges';
640 header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
641 }
642
643 showheader(_("Welcome to CAcert.org"));
644 includeit($id);
645 showfooter();
646 ?>