You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
cacert-webdb/www/index.php

428 lines
17 KiB
PHTML

<? /*
Copyright (C) 2004 by Duane Groth <duane_at_CAcert_dot_org>
This file is part of CAcert.
CAcert has been released under the CAcert Source License
which can be found included with these source files or can
be downloaded from the internet from the following address:
http://www.cacert.org/src-lic.php
CAcert is distributed WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the License for more details.
*/ ?>
<?
19 years ago
foreach($_REQUEST as $key => $val)
$key = $val;
$id = intval($_REQUEST['id']);
$_REQUEST['oldid'] = intval($_REQUEST['oldid']);
if($id == 17 || $id == 20)
{
include_once("index/$id.php");
exit;
}
loadem("index");
$_SESSION['_config']['hostname'] = $_SERVER['HTTP_HOST'];
19 years ago
if(($_REQUEST['oldid'] == 6 || $id == 6) && intval($_SESSION['lostpw']['user']['id']) < 1)
{
19 years ago
unset($_REQUEST['oldid']);
$id = 5;
}
19 years ago
if($_REQUEST['oldid'] == 6 && $_REQUEST['process'] != "")
{
19 years ago
$body = "";
$answers = 0;
$qs = array();
19 years ago
$id = $_REQUEST['oldid'];
unset($_REQUEST['oldid']);
if($Q1)
{
$_SESSION['lostpw']['A1'] = trim(mysql_escape_string(stripslashes($A1)));
if(stripslashes(strtolower($_SESSION['lostpw']['A1'])) == strtolower($_SESSION['lostpw']['user']['A1']))
$answers++;
$body .= "System: ".$_SESSION['lostpw']['user']['A1']."\nEntered: ".stripslashes($_SESSION['lostpw']['A1'])."\n";
}
if($Q2)
{
$_SESSION['lostpw']['A2'] = trim(mysql_escape_string(stripslashes($A2)));
if(stripslashes(strtolower($_SESSION['lostpw']['A2'])) == strtolower($_SESSION['lostpw']['user']['A2']))
$answers++;
$body .= "System: ".$_SESSION['lostpw']['user']['A2']."\nEntered: ".stripslashes($_SESSION['lostpw']['A2'])."\n";
}
if($Q3)
{
$_SESSION['lostpw']['A3'] = trim(mysql_escape_string(stripslashes($A3)));
if(stripslashes(strtolower($_SESSION['lostpw']['A3'])) == strtolower($_SESSION['lostpw']['user']['A3']))
$answers++;
$body .= "System: ".$_SESSION['lostpw']['user']['A3']."\nEntered: ".stripslashes($_SESSION['lostpw']['A3'])."\n";
}
if($Q4)
{
$_SESSION['lostpw']['A4'] = trim(mysql_escape_string(stripslashes($A4)));
if(stripslashes(strtolower($_SESSION['lostpw']['A4'])) == strtolower($_SESSION['lostpw']['user']['A4']))
$answers++;
$body .= "System: ".$_SESSION['lostpw']['user']['A4']."\nEntered: ".stripslashes($_SESSION['lostpw']['A4'])."\n";
}
if($Q5)
{
$_SESSION['lostpw']['A5'] = trim(mysql_escape_string(stripslashes($A5)));
if(stripslashes(strtolower($_SESSION['lostpw']['A5'])) == strtolower($_SESSION['lostpw']['user']['A5']))
$answers++;
$body .= "System: ".$_SESSION['lostpw']['user']['A5']."\nEntered: ".stripslashes($_SESSION['lostpw']['A5'])."\n";
}
19 years ago
$_SESSION['lostpw']['pw1'] = trim(mysql_escape_string(stripslashes($_REQUEST['newpass1'])));
$_SESSION['lostpw']['pw2'] = trim(mysql_escape_string(stripslashes($_REQUEST['newpass2'])));
if($answers < $_SESSION['lostpw']['total'] || $answers < 1)
{
$body = "Someone has just attempted to update the pass phrase on the following account:\n".
"Username(ID): ".$_SESSION['lostpw']['user']['email']."(".$_SESSION['lostpw']['user']['id'].")\n".
"email: ".$_SESSION['lostpw']['user']['email']."\n".
"Requested Pass Phrase: ".$_SESSION['lostpw']['pw1']."\n".
"IP/Hostname: ".$_SERVER['REMOTE_ADDR']."/".$_SERVER['REMOTE_HOST']."\n".
"---------------------------------------------------------------------\n".$body.
"---------------------------------------------------------------------\n";
20 years ago
sendmail("support@cacert.org", "[CAcert.org] Requested Pass Phrase Change", $body,
$_SESSION['lostpw']['user']['email'], "", "", $_SESSION['lostpw']['user']['fname']);
$_SESSION['_config']['errmsg'] = _("You failed to get all answers correct or you didn't configure enough lost password questions for your account. System admins have been notified.");
} else if($_SESSION['lostpw']['pw1'] != $_SESSION['lostpw']['pw2'] || $_SESSION['lostpw']['pw1'] == "") {
$_SESSION['_config']['errmsg'] = _("New Pass Phrases specified don't match or were blank.");
} else if(strlen($_SESSION['lostpw']['pw1']) < 6) {
$_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted was too short. It must be at least 6 characters.");
} else {
$score = checkpw($_SESSION['lostpw']['pw1'], $_SESSION['lostpw']['user']['email'], $_SESSION['lostpw']['user']['fname'],
$_SESSION['lostpw']['user']['mname'], $_SESSION['lostpw']['user']['lname'], $_SESSION['lostpw']['user']['suffix']);
if($score < 3)
{
$_SESSION['_config']['errmsg'] = sprintf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
} else {
19 years ago
$query = "update `users` set `password`=sha1('".$_SESSION['lostpw']['pw1']."')
20 years ago
where `id`='".$_SESSION['lostpw']['user']['id']."'";
mysql_query($query) || die(mysql_error());
showheader(_("Welcome to CAcert.org"));
echo _("Your Pass Phrase has been updated and your primary email account has been notified of the change.");
showfooter();
exit;
}
}
}
19 years ago
if($_REQUEST['oldid'] == 5 && $_REQUEST['process'] != "")
{
19 years ago
$email = $_SESSION['lostpw']['email'] = trim(mysql_escape_string(stripslashes($_REQUEST['email'])));
$_SESSION['lostpw']['day'] = intval($day);
$_SESSION['lostpw']['month'] = intval($month);
$_SESSION['lostpw']['year'] = intval($year);
$dob = $_SESSION['lostpw']['year']."-".$_SESSION['lostpw']['month']."-".$_SESSION['lostpw']['day'];
$query = "select * from `users` where `email`='$email' and `dob`='$dob'";
$res = mysql_query($query);
if(mysql_num_rows($res) <= 0)
{
19 years ago
$id = $_REQUEST['oldid'];
unset($_REQUEST['oldid']);
$_SESSION['_config']['errmsg'] = _("Unable to match your details with any user accounts on file");
} else {
$id = 6;
$_SESSION['lostpw']['user'] = mysql_fetch_assoc($res);
}
}
if($id == 4 && $_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'])
{
$query = "select * from `emailcerts` where `serial`='$_SERVER[SSL_CLIENT_M_SERIAL]' and `revoked`=0 and
UNIX_TIMESTAMP(`expire`) - UNIX_TIMESTAMP() > 0";
$res = mysql_query($query);
if(mysql_num_rows($res) > 0)
{
$row = mysql_fetch_assoc($res);
$_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='$row[memid]' and `deleted`=0"));
if($_SESSION['profile']['id'] != 0)
{
$_SESSION['profile']['loggedin'] = 1;
header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
exit;
} else {
$_SESSION['profile']['loggedin'] = 0;
}
}
}
if($id == 4 && $_SESSION['profile']['loggedin'] == 1)
{
header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
exit;
}
19 years ago
if($_REQUEST['oldid'] == 4)
{
19 years ago
unset($_REQUEST['oldid']);
$id = 4;
$_SESSION['_config']['errmsg'] = "";
19 years ago
$email = mysql_escape_string(stripslashes(trim($_REQUEST['email'])));
$pword = mysql_escape_string(stripslashes(trim($_REQUEST['pword'])));
$query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
`password`=password('$pword')) and `verified`=1 and `deleted`=0";
$res = mysql_query($query);
if(mysql_num_rows($res) > 0)
{
19 years ago
$_SESSION['profile'] = "";
unset($_SESSION['profile']);
$_SESSION['profile'] = mysql_fetch_assoc($res);
19 years ago
$query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".$_SESSION['profile']['id']."'";
mysql_query($query);
20 years ago
if($_SESSION['profile']['language'] == "")
{
$query = "update `users` set `language`='".$_SESSION['_config']['language']."'
where `id`='".$_SESSION['profile']['id']."'";
mysql_query($query);
20 years ago
} else {
$_SESSION['_config']['language'] = $_SESSION['profile']['language'];
putenv("LANG=".$_SESSION['_config']['language']);
setlocale(LC_ALL, $_SESSION['_config']['language']);
$domain = 'messages';
19 years ago
bindtextdomain("$domain", $_SESSION['_config']['filepath']."/locale");
20 years ago
textdomain("$domain");
20 years ago
}
$query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
$res = mysql_query($query);
$row = mysql_fetch_assoc($res);
$_SESSION['profile']['points'] = $row['total'];
$_SESSION['profile']['loggedin'] = 1;
if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" ||
$_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" ||
$_SESSION['profile']['Q5'] == "")
{
$_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
$_SESSION['_config']['oldlocation'] = "account.php?id=13";
}
if($_SESSION['_config']['oldlocation'] != "")
header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
else
header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
exit;
}
$_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
}
19 years ago
if($_REQUEST['process'] && $_REQUEST['oldid'] == 1)
{
$id = 2;
19 years ago
unset($_REQUEST['oldid']);
$_SESSION['_config']['errmsg'] = "";
19 years ago
$_SESSION['signup']['email'] = trim(mysql_escape_string(stripslashes($_REQUEST['email'])));
$_SESSION['signup']['fname'] = trim(mysql_escape_string(stripslashes($fname)));
$_SESSION['signup']['mname'] = trim(mysql_escape_string(stripslashes($mname)));
$_SESSION['signup']['lname'] = trim(mysql_escape_string(stripslashes($lname)));
$_SESSION['signup']['suffix'] = trim(mysql_escape_string(stripslashes($suffix)));
$_SESSION['signup']['day'] = intval($day);
$_SESSION['signup']['month'] = intval($month);
$_SESSION['signup']['year'] = intval($year);
$_SESSION['signup']['pword1'] = trim(mysql_escape_string(stripslashes($pword1)));
$_SESSION['signup']['pword2'] = trim(mysql_escape_string(stripslashes($pword2)));
$_SESSION['signup']['Q1'] = trim(mysql_escape_string(stripslashes($Q1)));
$_SESSION['signup']['Q2'] = trim(mysql_escape_string(stripslashes($Q2)));
$_SESSION['signup']['Q3'] = trim(mysql_escape_string(stripslashes($Q3)));
$_SESSION['signup']['Q4'] = trim(mysql_escape_string(stripslashes($Q4)));
$_SESSION['signup']['Q5'] = trim(mysql_escape_string(stripslashes($Q5)));
$_SESSION['signup']['A1'] = trim(mysql_escape_string(stripslashes($A1)));
$_SESSION['signup']['A2'] = trim(mysql_escape_string(stripslashes($A2)));
$_SESSION['signup']['A3'] = trim(mysql_escape_string(stripslashes($A3)));
$_SESSION['signup']['A4'] = trim(mysql_escape_string(stripslashes($A4)));
$_SESSION['signup']['A5'] = trim(mysql_escape_string(stripslashes($A5)));
20 years ago
$_SESSION['signup']['general'] = intval($_POST['general']);
$_SESSION['signup']['country'] = intval($_POST['country']);
$_SESSION['signup']['regional'] = intval($_POST['regional']);
$_SESSION['signup']['radius'] = intval($_POST['radius']);
19 years ago
if($_SESSION['signup']['Q1'] == "" || $_SESSION['signup']['Q2'] == "" ||
$_SESSION['signup']['Q3'] == "" || $_SESSION['signup']['Q4'] == "" ||
$_SESSION['signup']['Q5'] == "")
{
$id = 1;
$_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>\n";
}
if($_SESSION['signup']['fname'] == "" || $_SESSION['signup']['lname'] == "")
{
$id = 1;
$_SESSION['_config']['errmsg'] .= _("First and/or last names were blank.")."<br>\n";
}
if($_SESSION['signup']['year'] < 1900 || $_SESSION['signup']['month'] < 1 || $_SESSION['signup']['month'] > 12 ||
$_SESSION['signup']['day'] < 1 || $_SESSION['signup']['day'] > 31)
{
$id = 1;
$_SESSION['_config']['errmsg'] .= _("Invalid date of birth")."<br>\n";
}
if($_SESSION['signup']['email'] == "")
{
$id = 1;
$_SESSION['_config']['errmsg'] .= _("Email Address was blank")."<br>\n";
}
if($_SESSION['signup']['pword1'] == "")
{
$id = 1;
$_SESSION['_config']['errmsg'] .= _("Pass Phrases were blank")."<br>\n";
}
if($_SESSION['signup']['pword1'] != $_SESSION['signup']['pword2'])
{
$id = 1;
$_SESSION['_config']['errmsg'] .= _("Pass Phrases don't match")."<br>\n";
}
$score = checkpw($_SESSION['signup']['pword1'], $_SESSION['signup']['email'], $_SESSION['signup']['fname'], $_SESSION['signup']['mname'], $_SESSION['signup']['lname'], $_SESSION['signup']['suffix']);
if($score < 3)
{
$id = 1;
$_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored $score points out of 6.");
}
if($id == 2)
{
$query = "select * from `email` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
$res1 = mysql_query($query);
$query = "select * from `users` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
$res2 = mysql_query($query);
if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0)
{
$id = 1;
$_SESSION['_config']['errmsg'] .= _("This email address is currently valid in the system.")."<br>\n";
}
19 years ago
$query = "select `domain` from `baddomains` where `domain`=RIGHT('".$_SESSION['signup']['email']."', LENGTH(`domain`))";
$res = mysql_query($query);
if(mysql_num_rows($res) > 0)
{
$domain = mysql_fetch_assoc($res);
$domain = $domain['domain'];
$id = 1;
$_SESSION['_config']['errmsg'] .= sprintf(_("We don't allow signups from people using email addresses from %s"), $domain)."<br>\n";
}
}
if($id == 2)
{
$checkemail = checkEmail($_SESSION['signup']['email']);
if($checkemail != true)
{
$id = 1;
$_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid")."<br>\n$checkemail<br>\n";
}
}
if($id == 2)
{
$rnd = fopen("/dev/urandom", "r");
$hash = md5(fgets($rnd, 64));
fclose($rnd);
$query = "insert into `users` set `email`='".$_SESSION['signup']['email']."',
19 years ago
`password`=sha1('".$_SESSION['signup']['pword1']."'),
`fname`='".$_SESSION['signup']['fname']."',
`mname`='".$_SESSION['signup']['mname']."',
`lname`='".$_SESSION['signup']['lname']."',
`suffix`='".$_SESSION['signup']['suffix']."',
`dob`='".$_SESSION['signup']['year']."-".$_SESSION['signup']['month']."-".$_SESSION['signup']['day']."',
`Q1`='".$_SESSION['signup']['Q1']."',
`Q2`='".$_SESSION['signup']['Q2']."',
`Q3`='".$_SESSION['signup']['Q3']."',
`Q4`='".$_SESSION['signup']['Q4']."',
`Q5`='".$_SESSION['signup']['Q5']."',
`A1`='".$_SESSION['signup']['A1']."',
`A2`='".$_SESSION['signup']['A2']."',
`A3`='".$_SESSION['signup']['A3']."',
`A4`='".$_SESSION['signup']['A4']."',
20 years ago
`A5`='".$_SESSION['signup']['A5']."',
`created`=NOW()";
mysql_query($query);
$memid = mysql_insert_id();
$query = "insert into `email` set `email`='".$_SESSION['signup']['email']."',
`hash`='$hash',
`created`=NOW(),
`memid`='$memid'";
mysql_query($query);
$emailid = mysql_insert_id();
20 years ago
$query = "insert into `alerts` set `memid`='$memid',
`general`='".$_SESSION['signup']['general']."',
`country`='".$_SESSION['signup']['country']."',
`regional`='".$_SESSION['signup']['regional']."',
`radius`='".$_SESSION['signup']['radius']."'";
mysql_query($query);
$body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
$body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n";
$body .= _("Best regards")."\n"._("CAcert.org Support!");
sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
foreach($_SESSION['signup'] as $key => $val)
$_SESSION['signup'][$key] = "";
unset($_SESSION['signup']);
}
}
19 years ago
if($_REQUEST['oldid'] == 11 && $_REQUEST['process'] != "")
{
$who = stripslashes($who);
19 years ago
$email = stripslashes($_REQUEST['email']);
$subject = stripslashes($subject);
$message = stripslashes($message);
if($who == "" || $email == "" || $subject == "" || $message == "")
{
19 years ago
$id = $_REQUEST['oldid'];
$_SESSION['_config']['errmsg'] = _("All fields are mandatory.")."<br>\n";
19 years ago
unset($_REQUEST['oldid']);
}
}
19 years ago
if($_REQUEST['oldid'] == 11 && $_REQUEST['process'] != "" && $_POST['support'] != "yes")
{
$message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
showheader(_("Welcome to CAcert.org"));
echo _("Your message has been sent.");
showfooter();
exit;
}
19 years ago
if($_REQUEST['oldid'] == 11 && $_REQUEST['process'] != "" && $_POST['support'] == "yes")
{
$message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
sendmail("cacert-support@lists.cacert.org, $email", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
showheader(_("Welcome to CAcert.org"));
echo _("Your message has been sent to the general support list.");
showfooter();
exit;
}
if($_SESSION['signup']['year'] < 1900)
$_SESSION['signup']['year'] = "19XX";
showheader(_("Welcome to CAcert.org"));
includeit($id);
showfooter();
?>