cacert-webdb/tverify/index/0.php

<?
	$continue = 1;
	//Checking for Thawte Freemail members, who aren´t notaries
	if($_SERVER['SSL_CLIENT_S_DN_CN'] == 'Thawte Freemail Member')
	{
		$continue = 0;
		echo _("I wasn't able to locate your name on your certificate, as such you can't continue with this process.");
	}

	//Extracting the Email address from the certificate that is presented, looking up the email in the database to find the user that has registered it.
	if($continue == 1)
	{
		$addy = array();
		$emails = explode("/", trim($_SERVER['SSL_CLIENT_S_DN']));
		foreach($emails as $email)
		{
			$bits = explode("=", $email);
			if($bits['0'] == "emailAddress")
			{
				$query = "select * from `email` where `email`='".$bits['1']."' and `deleted`=0 and hash=''";
				$account = mysql_query($query);
				if(mysql_num_rows($account))
					$addy[] = $bits['1'];
			}
		}
	}

	//Verifying that we found a record with that email address
	if(count($addy) <= 0 && $continue == 1)
	{
		$continue = 0;
		echo _("I wasn't able to match any email accounts on your certificate to any accounts in our database, as such I can't continue with this process.");
	}

	//If we found one, we extract the member-id from the sql result of the query we did above, and fetch the name of that user
	if($continue == 1)
	{
		$row = mysql_fetch_assoc($account);
		$memid = $row['memid'];

		$tverifybits = explode(" ", trim(strtr($_SERVER['SSL_CLIENT_S_DN_G'],",.","")), 2);

                //Fetching the name of the user we have in the database:
                $query = "select `fname`, `mname`, `lname`, `suffix` from `users` where `id`='$memid' and `deleted`=0";
 		$res = mysql_query($query);
 		$row = mysql_fetch_assoc($res);

		//Building the user´s name, and ignoring punctuation
		$cacert_name=$row['fname']." ".$row['mname']." ".$row['lname']." ".$row['suffix'];
		$cacert_name=strtr($cacert_name,",.","");
		$cacert_name=trim(str_replace("  ", " ", $cacert_name));

		//Generate a short name form without the middle name
		$cacert_short_name=$row['fname']." ".$row['lname']." ".$row['suffix'];
		$cacert_short_name=strtr($cacert_short_name,",.","");
		$cacert_short_name=trim(str_replace("  ", " ", $cacert_short_name));

		$firstname = trim($tverifybits['0']);
		$lastname = trim($_SERVER['SSL_CLIENT_S_DN_S']);
		$tverify_name=strtr("$firstname $lastname",",.","");

		if(($cacert_name != $tverify_name) and ($cacert_short_name == $tverify_name))
		{
			$continue = 0;
			printf(_("Your CAcert account contains a middle name (%s), but we cannot verify this middle name with the certificate."),$row['mname']);

		}

		if($cacert_name != $tverify_name)
		{
			$continue = 0;
			printf(_("The name and email address on your certificate (%s) could not be exactly matched to any stored in our database (%s), as such I'm not able to continue with this process."),$tverify_name,$cacert_name);
		}
	}

	if($_SERVER['SSL_CLIENT_VERIFY'] == "SUCCESS" && $continue == 1)
	{
		$_SESSION['_config']['uid'] = $row['memid'];
		$_SESSION['_config']['CN'] = trim($_SERVER['SSL_CLIENT_S_DN']);
?>
<p style="border:dotted 1px #900;padding:0.3em;background-color:#ffe;">
<?=_("By just submitting your Thawte certificate you can be issued 50 points automatically to any matching account in the system that you operate.")?><br>
<?=_("To receive an additional 40 points you must also include a valid link to your notary listing on the Thawte website.")?><br>
<?=_("If you meet the above criteria you are also elligible to receive an additional 60 points by submitting a legible government issued copy of your photo ID. If details on your photo ID aren't legible you may be excluded from receiving these points.")?></p>
<? if($_SESSION['_config']['errmsg'] != "") { ?><p>&nbsp;</p><p style="border:dotted 1px #900;padding:0.3em;background-color:#ffe;"><?
	echo $_SESSION['_config']['errmsg']."</p>";
	unset($_SESSION['_config']['errmsg']);
} ?>
<form method="post" action="index.php" enctype="multipart/form-data">
<table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
  <tr>
    <td colspan="2" class="title"><?=_("Points Transfer and Verification")?></td>
  </tr>
  <tr>
    <td class="DataTD" width="125"><?=_("Email Address")?>: </td>
    <td class="DataTD" width="125"><input type="text" name="email" value="<?=$row['email']?>"></td>
  </tr>
  <tr>
    <td class="DataTD" width="125"><?=_("Notary URL")?>: </td>
    <td class="DataTD" width="125"><input type="text" name="notaryURL" value="<?=htmlentities($_POST['notaryURL'])?>"></td>
  </tr>
  <tr>
    <td class="DataTD" width="125"><?=_("Photo ID")?>: </td>
    <td class="DataTD" width="125"><input type="file" name="photoid"></td>
  </tr>
  <tr> 
    <td class="DataTD"><?=_("Pass Phrase")?>: </td>
    <td class="DataTD"><input type="password" name="pword"></td>
  </tr> 
  <tr>
    <td class="DataTD" colspan="2"><input type="submit" name="process" value="<?=_("Submit Application for Points Transfer")?>"></td>
  </tr>

</table>     
<input type="hidden" name="id" value="1">
</form> 
<?	} else if($continue == 1) {
		echo _("1I'm sorry, I couldn't verify your certificate");
	}
?>
-												new code + updates and bug fixes

											
										
										
											2005-03-12 19:40:24 +00:00
+								<?
-												typo

											
										
										
											2006-08-07 19:59:27 +00:00
+									$continue = 1;
-												Added some comments and improved the Name handling of TVerify

											
										
										
											2007-05-19 18:01:21 +00:00
+									//Checking for Thawte Freemail members, who aren´t notaries
-												typo

											
										
										
											2006-08-07 19:59:27 +00:00
+									if($_SERVER['SSL_CLIENT_S_DN_CN'] == 'Thawte Freemail Member')
-												new code + updates and bug fixes

											
										
										
											2005-03-12 19:40:24 +00:00
+									{
 										$continue = 0;
 										echo _("I wasn't able to locate your name on your certificate, as such you can't continue with this process.");
 									}
-												Added some comments and improved the Name handling of TVerify

											
										
										
											2007-05-19 18:01:21 +00:00
+									//Extracting the Email address from the certificate that is presented, looking up the email in the database to find the user that has registered it.
-												new code + updates and bug fixes

											
										
										
											2005-03-12 19:40:24 +00:00
+									if($continue == 1)
 									{
 										$addy = array();
-												typo

											
										
										
											2006-08-07 19:59:27 +00:00
+										$emails = explode("/", trim($_SERVER['SSL_CLIENT_S_DN']));
-												new code + updates and bug fixes

											
										
										
											2005-03-12 19:40:24 +00:00
+										foreach($emails as $email)
 										{
 											$bits = explode("=", $email);
-												typo

											
										
										
											2006-08-07 19:59:27 +00:00
+											if($bits['0'] == "emailAddress")
-												new code + updates and bug fixes

											
										
										
											2005-03-12 19:40:24 +00:00
+											{
-												typo

											
										
										
											2006-08-07 19:59:27 +00:00
+												$query = "select * from `email` where `email`='".$bits['1']."' and `deleted`=0 and hash=''";
-												new code + updates and bug fixes

											
										
										
											2005-03-12 19:40:24 +00:00
+												$account = mysql_query($query);
 												if(mysql_num_rows($account))
-												typo

											
										
										
											2006-08-07 19:59:27 +00:00
+													$addy[] = $bits['1'];
-												new code + updates and bug fixes

											
										
										
											2005-03-12 19:40:24 +00:00
+											}
 										}
 									}
-												Added some comments and improved the Name handling of TVerify

											
										
										
											2007-05-19 18:01:21 +00:00
+									//Verifying that we found a record with that email address
-												new code + updates and bug fixes

											
										
										
											2005-03-12 19:40:24 +00:00
+									if(count($addy) <= 0 && $continue == 1)
 									{
 										$continue = 0;
 										echo _("I wasn't able to match any email accounts on your certificate to any accounts in our database, as such I can't continue with this process.");
 									}
-												Added some comments and improved the Name handling of TVerify

											
										
										
											2007-05-19 18:01:21 +00:00
+									//If we found one, we extract the member-id from the sql result of the query we did above, and fetch the name of that user
-												new code + updates and bug fixes

											
										
										
											2005-03-12 19:40:24 +00:00
+									if($continue == 1)
 									{
 										$row = mysql_fetch_assoc($account);
 										$memid = $row['memid'];
-												Added some comments and improved the Name handling of TVerify

											
										
										
											2007-05-19 18:01:21 +00:00
+										$tverifybits = explode(" ", trim(strtr($_SERVER['SSL_CLIENT_S_DN_G'],",.","")), 2);
 								                //Fetching the name of the user we have in the database:
 								                $query = "select `fname`, `mname`, `lname`, `suffix` from `users` where `id`='$memid' and `deleted`=0";
 								 		$res = mysql_query($query);
 								 		$row = mysql_fetch_assoc($res);
 										//Building the user´s name, and ignoring punctuation
 										$cacert_name=$row['fname']." ".$row['mname']." ".$row['lname']." ".$row['suffix'];
 										$cacert_name=strtr($cacert_name,",.","");
 										$cacert_name=trim(str_replace("  ", " ", $cacert_name));
 										//Generate a short name form without the middle name
 										$cacert_short_name=$row['fname']." ".$row['lname']." ".$row['suffix'];
 										$cacert_short_name=strtr($cacert_short_name,",.","");
 										$cacert_short_name=trim(str_replace("  ", " ", $cacert_short_name));
 										$firstname = trim($tverifybits['0']);
-												typo

											
										
										
											2006-08-07 19:59:27 +00:00
+										$lastname = trim($_SERVER['SSL_CLIENT_S_DN_S']);
-												Added some comments and improved the Name handling of TVerify

											
										
										
											2007-05-19 18:01:21 +00:00
+										$tverify_name=strtr("$firstname $lastname",",.","");
 										if(($cacert_name != $tverify_name) and ($cacert_short_name == $tverify_name))
 										{
 											$continue = 0;
 											printf(_("Your CAcert account contains a middle name (%s), but we cannot verify this middle name with the certificate."),$row['mname']);
 										}
-												new code + updates and bug fixes

											
										
										
											2005-03-12 19:40:24 +00:00
-												Added some comments and improved the Name handling of TVerify

											
										
										
											2007-05-19 18:01:21 +00:00
+										if($cacert_name != $tverify_name)
-												new code + updates and bug fixes

											
										
										
											2005-03-12 19:40:24 +00:00
+										{
 											$continue = 0;
-												Added some comments and improved the Name handling of TVerify

											
										
										
											2007-05-19 18:01:21 +00:00
+											printf(_("The name and email address on your certificate (%s) could not be exactly matched to any stored in our database (%s), as such I'm not able to continue with this process."),$tverify_name,$cacert_name);
-												new code + updates and bug fixes

											
										
										
											2005-03-12 19:40:24 +00:00
+										}
 									}
-												typo

											
										
										
											2006-08-07 19:59:27 +00:00
+									if($_SERVER['SSL_CLIENT_VERIFY'] == "SUCCESS" && $continue == 1)
-												new code + updates and bug fixes

											
										
										
											2005-03-12 19:40:24 +00:00
+									{
 										$_SESSION['_config']['uid'] = $row['memid'];
-												typo

											
										
										
											2006-08-07 19:59:27 +00:00
+										$_SESSION['_config']['CN'] = trim($_SERVER['SSL_CLIENT_S_DN']);
-												new code + updates and bug fixes

											
										
										
											2005-03-12 19:40:24 +00:00
+								?>
 								<p style="border:dotted 1px #900;padding:0.3em;background-color:#ffe;">
 								<?=_("By just submitting your Thawte certificate you can be issued 50 points automatically to any matching account in the system that you operate.")?><br>
 								<?=_("To receive an additional 40 points you must also include a valid link to your notary listing on the Thawte website.")?><br>
 								<?=_("If you meet the above criteria you are also elligible to receive an additional 60 points by submitting a legible government issued copy of your photo ID. If details on your photo ID aren't legible you may be excluded from receiving these points.")?></p>
 								<? if($_SESSION['_config']['errmsg'] != "") { ?><p>&nbsp;</p><p style="border:dotted 1px #900;padding:0.3em;background-color:#ffe;"><?
 									echo $_SESSION['_config']['errmsg']."</p>";
 									unset($_SESSION['_config']['errmsg']);
 								} ?>
 								<form method="post" action="index.php" enctype="multipart/form-data">
 								<table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
 								  <tr>
 								    <td colspan="2" class="title"><?=_("Points Transfer and Verification")?></td>
 								  </tr>
 								  <tr>
 								    <td class="DataTD" width="125"><?=_("Email Address")?>: </td>
 								    <td class="DataTD" width="125"><input type="text" name="email" value="<?=$row['email']?>"></td>
 								  </tr>
 								  <tr>
 								    <td class="DataTD" width="125"><?=_("Notary URL")?>: </td>
-												Fixed XSS exploit #8 from ascii

											
										
										
											2007-03-28 17:16:33 +00:00
+								    <td class="DataTD" width="125"><input type="text" name="notaryURL" value="<?=htmlentities($_POST['notaryURL'])?>"></td>
-												new code + updates and bug fixes

											
										
										
											2005-03-12 19:40:24 +00:00
+								  </tr>
 								  <tr>
 								    <td class="DataTD" width="125"><?=_("Photo ID")?>: </td>
 								    <td class="DataTD" width="125"><input type="file" name="photoid"></td>
 								  </tr>
 								  <tr>
 								    <td class="DataTD"><?=_("Pass Phrase")?>: </td>
 								    <td class="DataTD"><input type="password" name="pword"></td>
 								  </tr>
 								  <tr>
 								    <td class="DataTD" colspan="2"><input type="submit" name="process" value="<?=_("Submit Application for Points Transfer")?>"></td>
 								  </tr>
 								</table>
 								<input type="hidden" name="id" value="1">
 								</form>
 								<?	} else if($continue == 1) {
 										echo _("1I'm sorry, I couldn't verify your certificate");
 									}
 								?>