2004-10-16 00:28:17 +00:00
< ? /*
Copyright ( C ) 2004 by Duane Groth < duane_at_CAcert_dot_org >
This file is part of CAcert .
CAcert has been released under the CAcert Source License
which can be found included with these source files or can
be downloaded from the internet from the following address :
http :// www . cacert . org / src - lic . php
CAcert is distributed WITHOUT ANY WARRANTY ; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE . See the License for more details .
*/ ?>
< ?
2006-02-03 18:45:23 +00:00
$id = intval ( $_REQUEST [ 'id' ]);
2006-08-03 13:20:55 +00:00
if ( $id == 2 )
$id = 0 ;
2006-11-23 22:22:31 +00:00
$oldid = intval ( $_REQUEST [ 'oldid' ]);
$process = $_REQUEST [ 'process' ];
2004-10-16 00:28:17 +00:00
2005-11-08 10:06:04 +00:00
if ( $id == 17 || $id == 20 )
2005-02-16 18:11:53 +00:00
{
2006-04-20 20:08:31 +00:00
include_once ( " ../pages/index/ $id .php " );
2005-02-16 18:11:53 +00:00
exit ;
}
loadem ( " index " );
2004-10-16 00:28:17 +00:00
$_SESSION [ '_config' ][ 'hostname' ] = $_SERVER [ 'HTTP_HOST' ];
2006-11-23 22:22:31 +00:00
if (( $oldid == 6 || $id == 6 ) && intval ( $_SESSION [ 'lostpw' ][ 'user' ][ 'id' ]) < 1 )
2004-10-16 00:28:17 +00:00
{
2006-11-23 22:22:31 +00:00
$oldid = 0 ;
2004-10-16 00:28:17 +00:00
$id = 5 ;
}
2006-11-23 22:22:31 +00:00
if ( $oldid == 6 && $process != " " )
2004-10-16 00:28:17 +00:00
{
2006-03-05 11:18:16 +00:00
$body = " " ;
2004-10-16 00:28:17 +00:00
$answers = 0 ;
$qs = array ();
2006-11-23 22:22:31 +00:00
$id = $oldid ;
$oldid = 0 ;
2006-05-01 14:45:38 +00:00
if ( $_REQUEST [ 'Q1' ])
2004-10-16 00:28:17 +00:00
{
2006-05-01 14:45:38 +00:00
$_SESSION [ 'lostpw' ][ 'A1' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'A1' ]))));
2004-10-16 00:28:17 +00:00
2005-05-23 01:53:59 +00:00
if ( stripslashes ( strtolower ( $_SESSION [ 'lostpw' ][ 'A1' ])) == strtolower ( $_SESSION [ 'lostpw' ][ 'user' ][ 'A1' ]))
2004-10-16 00:28:17 +00:00
$answers ++ ;
2006-04-30 08:30:54 +00:00
$body .= " System: " . $_SESSION [ 'lostpw' ][ 'user' ][ 'A1' ] . " \n Entered: " . stripslashes ( strip_tags ( $_SESSION [ 'lostpw' ][ 'A1' ])) . " \n " ;
2004-10-16 00:28:17 +00:00
}
2006-05-01 14:45:38 +00:00
if ( $_REQUEST [ 'Q2' ])
2004-10-16 00:28:17 +00:00
{
2006-05-01 14:45:38 +00:00
$_SESSION [ 'lostpw' ][ 'A2' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'A2' ]))));
2004-10-16 00:28:17 +00:00
2005-05-23 01:53:59 +00:00
if ( stripslashes ( strtolower ( $_SESSION [ 'lostpw' ][ 'A2' ])) == strtolower ( $_SESSION [ 'lostpw' ][ 'user' ][ 'A2' ]))
2004-10-16 00:28:17 +00:00
$answers ++ ;
2006-04-30 08:30:54 +00:00
$body .= " System: " . $_SESSION [ 'lostpw' ][ 'user' ][ 'A2' ] . " \n Entered: " . stripslashes ( strip_tags ( $_SESSION [ 'lostpw' ][ 'A2' ])) . " \n " ;
2004-10-16 00:28:17 +00:00
}
2006-05-01 14:45:38 +00:00
if ( $_REQUEST [ 'Q3' ])
2004-10-16 00:28:17 +00:00
{
2006-05-01 14:45:38 +00:00
$_SESSION [ 'lostpw' ][ 'A3' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'A3' ]))));
2004-10-16 00:28:17 +00:00
2005-05-23 01:53:59 +00:00
if ( stripslashes ( strtolower ( $_SESSION [ 'lostpw' ][ 'A3' ])) == strtolower ( $_SESSION [ 'lostpw' ][ 'user' ][ 'A3' ]))
2004-10-16 00:28:17 +00:00
$answers ++ ;
2006-04-30 08:30:54 +00:00
$body .= " System: " . $_SESSION [ 'lostpw' ][ 'user' ][ 'A3' ] . " \n Entered: " . stripslashes ( strip_tags ( $_SESSION [ 'lostpw' ][ 'A3' ])) . " \n " ;
2004-10-16 00:28:17 +00:00
}
2006-05-01 14:45:38 +00:00
if ( $_REQUEST [ 'Q4' ])
2004-10-16 00:28:17 +00:00
{
2006-05-01 14:45:38 +00:00
$_SESSION [ 'lostpw' ][ 'A4' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'A4' ]))));
2004-10-16 00:28:17 +00:00
2005-05-23 01:53:59 +00:00
if ( stripslashes ( strtolower ( $_SESSION [ 'lostpw' ][ 'A4' ])) == strtolower ( $_SESSION [ 'lostpw' ][ 'user' ][ 'A4' ]))
2004-10-16 00:28:17 +00:00
$answers ++ ;
2006-04-30 08:30:54 +00:00
$body .= " System: " . $_SESSION [ 'lostpw' ][ 'user' ][ 'A4' ] . " \n Entered: " . stripslashes ( strip_tags ( $_SESSION [ 'lostpw' ][ 'A4' ])) . " \n " ;
2004-10-16 00:28:17 +00:00
}
2006-05-01 14:45:38 +00:00
if ( $_REQUEST [ 'Q5' ])
2004-10-16 00:28:17 +00:00
{
2006-05-01 14:45:38 +00:00
$_SESSION [ 'lostpw' ][ 'A5' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'A5' ]))));
2004-10-16 00:28:17 +00:00
2005-05-23 01:53:59 +00:00
if ( stripslashes ( strtolower ( $_SESSION [ 'lostpw' ][ 'A5' ])) == strtolower ( $_SESSION [ 'lostpw' ][ 'user' ][ 'A5' ]))
2004-10-16 00:28:17 +00:00
$answers ++ ;
2006-04-30 08:30:54 +00:00
$body .= " System: " . $_SESSION [ 'lostpw' ][ 'user' ][ 'A5' ] . " \n Entered: " . stripslashes ( strip_tags ( $_SESSION [ 'lostpw' ][ 'A5' ])) . " \n " ;
2004-10-16 00:28:17 +00:00
}
2006-04-30 08:30:54 +00:00
$_SESSION [ 'lostpw' ][ 'pw1' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'newpass1' ]))));
$_SESSION [ 'lostpw' ][ 'pw2' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'newpass2' ]))));
2004-10-16 00:28:17 +00:00
2005-07-01 13:12:14 +00:00
if ( $answers < $_SESSION [ 'lostpw' ][ 'total' ] || $answers < 1 )
2004-10-16 00:28:17 +00:00
{
$body = " Someone has just attempted to update the pass phrase on the following account: \n " .
" Username(ID): " . $_SESSION [ 'lostpw' ][ 'user' ][ 'email' ] . " ( " . $_SESSION [ 'lostpw' ][ 'user' ][ 'id' ] . " ) \n " .
" email: " . $_SESSION [ 'lostpw' ][ 'user' ][ 'email' ] . " \n " .
" Requested Pass Phrase: " . $_SESSION [ 'lostpw' ][ 'pw1' ] . " \n " .
" IP/Hostname: " . $_SERVER [ 'REMOTE_ADDR' ] . " / " . $_SERVER [ 'REMOTE_HOST' ] . " \n " .
" --------------------------------------------------------------------- \n " . $body .
" --------------------------------------------------------------------- \n " ;
2004-12-09 01:48:16 +00:00
sendmail ( " support@cacert.org " , " [CAcert.org] Requested Pass Phrase Change " , $body ,
2005-05-23 01:53:59 +00:00
$_SESSION [ 'lostpw' ][ 'user' ][ 'email' ], " " , " " , $_SESSION [ 'lostpw' ][ 'user' ][ 'fname' ]);
2005-07-01 14:33:30 +00:00
$_SESSION [ '_config' ][ 'errmsg' ] = _ ( " You failed to get all answers correct or you didn't configure enough lost password questions for your account. System admins have been notified. " );
2004-10-16 00:28:17 +00:00
} else if ( $_SESSION [ 'lostpw' ][ 'pw1' ] != $_SESSION [ 'lostpw' ][ 'pw2' ] || $_SESSION [ 'lostpw' ][ 'pw1' ] == " " ) {
$_SESSION [ '_config' ][ 'errmsg' ] = _ ( " New Pass Phrases specified don't match or were blank. " );
} else if ( strlen ( $_SESSION [ 'lostpw' ][ 'pw1' ]) < 6 ) {
2004-12-06 21:53:35 +00:00
$_SESSION [ '_config' ][ 'errmsg' ] = _ ( " The Pass Phrase you submitted was too short. It must be at least 6 characters. " );
2004-10-16 00:28:17 +00:00
} else {
$score = checkpw ( $_SESSION [ 'lostpw' ][ 'pw1' ], $_SESSION [ 'lostpw' ][ 'user' ][ 'email' ], $_SESSION [ 'lostpw' ][ 'user' ][ 'fname' ],
$_SESSION [ 'lostpw' ][ 'user' ][ 'mname' ], $_SESSION [ 'lostpw' ][ 'user' ][ 'lname' ], $_SESSION [ 'lostpw' ][ 'user' ][ 'suffix' ]);
if ( $score < 3 )
{
2005-02-16 18:11:53 +00:00
$_SESSION [ '_config' ][ 'errmsg' ] = sprintf ( _ ( " The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6. " ), $score );
2004-10-16 00:28:17 +00:00
} else {
2006-02-03 18:45:23 +00:00
$query = " update `users` set `password`=sha1(' " . $_SESSION [ 'lostpw' ][ 'pw1' ] . " ')
2004-10-21 04:22:14 +00:00
where `id` = '".$_SESSION[' lostpw '][' user '][' id ']."' " ;
mysql_query ( $query ) || die ( mysql_error ());
2004-10-16 00:28:17 +00:00
showheader ( _ ( " Welcome to CAcert.org " ));
echo _ ( " Your Pass Phrase has been updated and your primary email account has been notified of the change. " );
showfooter ();
exit ;
}
}
}
2006-11-23 22:22:31 +00:00
if ( $oldid == 5 && $process != " " )
2004-10-16 00:28:17 +00:00
{
2006-04-30 08:30:54 +00:00
$email = $_SESSION [ 'lostpw' ][ 'email' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'email' ]))));
2004-10-16 00:28:17 +00:00
$_SESSION [ 'lostpw' ][ 'day' ] = intval ( $day );
$_SESSION [ 'lostpw' ][ 'month' ] = intval ( $month );
$_SESSION [ 'lostpw' ][ 'year' ] = intval ( $year );
$dob = $_SESSION [ 'lostpw' ][ 'year' ] . " - " . $_SESSION [ 'lostpw' ][ 'month' ] . " - " . $_SESSION [ 'lostpw' ][ 'day' ];
$query = " select * from `users` where `email`=' $email ' and `dob`=' $dob ' " ;
$res = mysql_query ( $query );
if ( mysql_num_rows ( $res ) <= 0 )
{
2006-11-23 22:22:31 +00:00
$id = $oldid ;
$oldid = 0 ;
2004-10-16 00:28:17 +00:00
$_SESSION [ '_config' ][ 'errmsg' ] = _ ( " Unable to match your details with any user accounts on file " );
} else {
$id = 6 ;
$_SESSION [ 'lostpw' ][ 'user' ] = mysql_fetch_assoc ( $res );
}
}
2004-12-07 12:35:40 +00:00
if ( $id == 4 && $_SERVER [ 'HTTP_HOST' ] == $_SESSION [ '_config' ][ 'securehostname' ])
2004-10-16 00:28:17 +00:00
{
$query = " select * from `emailcerts` where `serial`=' $_SERVER[SSL_CLIENT_M_SERIAL] ' and `revoked`=0 and
UNIX_TIMESTAMP ( `expire` ) - UNIX_TIMESTAMP () > 0 " ;
$res = mysql_query ( $query );
if ( mysql_num_rows ( $res ) > 0 )
{
$row = mysql_fetch_assoc ( $res );
2006-08-16 06:08:12 +00:00
$_SESSION [ 'profile' ] = mysql_fetch_assoc ( mysql_query ( " select * from `users` where `id`=' $row[memid] ' and `deleted`=0 and `locked`=0 " ));
2005-07-01 13:12:14 +00:00
if ( $_SESSION [ 'profile' ][ 'id' ] != 0 )
{
$_SESSION [ 'profile' ][ 'loggedin' ] = 1 ;
header ( " location: https:// " . $_SERVER [ 'HTTP_HOST' ] . " /account.php " );
exit ;
} else {
$_SESSION [ 'profile' ][ 'loggedin' ] = 0 ;
}
2004-10-16 00:28:17 +00:00
}
}
if ( $id == 4 && $_SESSION [ 'profile' ][ 'loggedin' ] == 1 )
{
header ( " location: https:// " . $_SERVER [ 'HTTP_HOST' ] . " /account.php " );
exit ;
}
2007-02-23 21:21:03 +00:00
function getOTP64 ( $otp )
{
$lookupChar = " 123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*!-?%: " ;
for ( $i = 0 ; $i < 6 ; $i ++ )
$val [ $i ] = hexdec ( substr ( $otp , $i * 2 , 2 ));
$tmp1 = $val [ 0 ] >> 2 ;
$OTP = $lookupChar [ $tmp1 & 63 ];
$tmp2 = $val [ 0 ] - ( $tmp1 << 2 );
$tmp1 = $val [ 1 ] >> 4 ;
$OTP .= $lookupChar [( $tmp1 + $tmp2 ) & 63 ];
$tmp2 = $val [ 1 ] - ( $tmp1 << 4 );
$tmp1 = $val [ 2 ] >> 6 ;
$OTP .= $lookupChar [( $tmp1 + $tmp2 ) & 63 ];
$tmp2 = $val [ 2 ] - ( $tmp1 << 6 );
$OTP .= $lookupChar [ $tmp2 & 63 ];
$tmp1 = $val [ 3 ] >> 2 ;
$OTP .= $lookupChar [ $tmp1 & 63 ];
$tmp2 = $val [ 3 ] - ( $tmp1 << 2 );
$tmp1 = $val [ 4 ] >> 4 ;
$OTP .= $lookupChar [( $tmp1 + $tmp2 ) & 63 ];
$tmp2 = $val [ 4 ] - ( $tmp1 << 4 );
$tmp1 = $val [ 5 ] >> 6 ;
$OTP .= $lookupChar [( $tmp1 + $tmp2 ) & 63 ];
$tmp2 = $val [ 5 ] - ( $tmp1 << 6 );
$OTP .= $lookupChar [ $tmp2 & 63 ];
return $OTP ;
}
function getOTP32 ( $otp )
{
$lookupChar = " 0123456789abcdefghkmnoprstuvwxyz " ;
for ( $i = 0 ; $i < 7 ; $i ++ )
$val [ $i ] = hexdec ( substr ( $otp , $i * 2 , 2 ));
$tmp1 = $val [ 0 ] >> 3 ;
$OTP = $lookupChar [ $tmp1 & 31 ];
$tmp2 = $val [ 0 ] - ( $tmp1 << 3 );
$tmp1 = $val [ 1 ] >> 6 ;
$OTP .= $lookupChar [( $tmp1 + $tmp2 ) & 31 ];
$tmp2 = ( $val [ 1 ] - ( $tmp1 << 6 )) >> 1 ;
$OTP .= $lookupChar [ $tmp2 & 31 ];
$tmp2 = $val [ 1 ] - (( $val [ 1 ] >> 1 ) << 1 );
$tmp1 = $val [ 2 ] >> 4 ;
$OTP .= $lookupChar [( $tmp1 + $tmp2 ) & 31 ];
$tmp2 = $val [ 2 ] - ( $tmp1 << 4 );
$tmp1 = $val [ 3 ] >> 7 ;
$OTP .= $ lookupChar [( $tmp1 + $tmp2 ) & 31 ];
$tmp2 = ( $val [ 3 ] - ( $tmp1 << 7 )) >> 2 ;
$OTP .= $lookupChar [ $tmp2 & 31 ];
$tmp2 = $val [ 3 ] - (( $val [ 3 ] - ( $tmp1 << 7 )) >> 2 ) << 2 ;
$tmp1 = $val [ 4 ] >> 5 ;
$OTP .= $lookupChar [( $tmp1 + $tmp2 ) & 31 ];
$tmp2 = $val [ 4 ] - ( $tmp1 << 5 );
$OTP .= $lookupChar [ $tmp2 & 31 ];
$tmp1 = $val [ 5 ] >> 3 ;
$OTP .= $lookupChar [ $tmp1 & 31 ];
$tmp2 = $val [ 5 ] - ( $tmp1 << 3 );
$tmp1 = $val [ 6 ] >> 6 ;
$OTP .= $lookupChar [( $tmp1 + $tmp2 ) & 31 ];
return $OTP ;
}
2006-11-23 22:22:31 +00:00
if ( $oldid == 4 )
2004-10-16 00:28:17 +00:00
{
2006-11-23 22:22:31 +00:00
$oldid = 0 ;
2004-10-16 00:28:17 +00:00
$id = 4 ;
$_SESSION [ '_config' ][ 'errmsg' ] = " " ;
2006-04-30 08:30:54 +00:00
$email = mysql_escape_string ( stripslashes ( strip_tags ( trim ( $_REQUEST [ 'email' ]))));
2006-04-30 08:40:21 +00:00
$pword = mysql_escape_string ( stripslashes ( trim ( $_REQUEST [ 'pword' ])));
2006-02-03 18:45:23 +00:00
$query = " select * from `users` where `email`=' $email ' and (`password`=old_password(' $pword ') or `password`=sha1(' $pword ') or
2006-08-16 06:08:12 +00:00
`password` = password ( '$pword' )) and `verified` = 1 and `deleted` = 0 and `locked` = 0 " ;
2004-10-16 00:28:17 +00:00
$res = mysql_query ( $query );
2007-02-07 13:50:54 +00:00
if ( mysql_num_rows ( $res ) <= 0 )
{
2007-02-23 21:21:03 +00:00
$otpquery = " select * from `users` where `email`=' $email ' and `otphash`!='' and `verified`=1 and `deleted`=0 and `locked`=0 " ;
2007-02-07 13:50:54 +00:00
$otpres = mysql_query ( $otpquery );
if ( mysql_num_rows ( $otpres ) > 0 )
{
$otp = mysql_fetch_assoc ( $otpres );
$otphash = $otp [ 'otphash' ];
$otppin = $otp [ 'otppin' ];
2007-02-23 21:21:03 +00:00
if ( strlen ( $pword ) == 6 )
{
$matchperiod = 18 ;
$time = round ( gmdate ( " U " ) / 10 );
} else {
$matchperiod = 3 ;
$time = round ( gmdate ( " U " ) / 60 );
}
2007-02-07 13:50:54 +00:00
2007-02-23 21:21:03 +00:00
$query = " delete from `otphashes` where UNIX_TIMESTAMP(`when`) <= UNIX_TIMESTAMP(NOW()) - 600 " ;
2007-02-07 13:50:54 +00:00
mysql_query ( $query );
$query = " select * from `otphashes` where `username`=' $email ' and `otp`=' $pword ' " ;
if ( mysql_num_rows ( mysql_query ( $query )) <= 0 )
{
$query = " insert into `otphashes` set `when`=NOW(), `username`=' $email ', `otp`=' $pword ' " ;
mysql_query ( $query );
for ( $i = $time - $matchperiod ; $i <= $time + $matchperiod * 2 ; $i ++ )
{
2007-02-23 21:21:03 +00:00
if ( $otppin > 0 )
$tmpmd5 = md5 ( " $i $otphash $otppin " );
else
$tmpmd5 = md5 ( " $i $otphash " );
if ( strlen ( $pword ) == 6 )
$md5 = substr ( md5 ( " $i $otphash " ), 0 , 6 );
else if ( strlen ( $pword ) == 8 )
$md5 = getOTP64 ( md5 ( " $i $otphash " ));
else
$md5 = getOTP32 ( md5 ( " $i $otphash " ));
2007-02-07 13:50:54 +00:00
if ( $pword == $md5 )
2007-02-23 21:21:03 +00:00
$res = mysql_query ( $otpquery );
2007-02-07 13:50:54 +00:00
}
}
}
}
2004-10-16 00:28:17 +00:00
if ( mysql_num_rows ( $res ) > 0 )
{
2006-02-03 18:45:23 +00:00
$_SESSION [ 'profile' ] = " " ;
unset ( $_SESSION [ 'profile' ]);
2004-10-16 00:28:17 +00:00
$_SESSION [ 'profile' ] = mysql_fetch_assoc ( $res );
2006-02-03 18:45:23 +00:00
$query = " update `users` set `modified`=NOW(), `password`=sha1(' $pword ') where `id`=' " . $_SESSION [ 'profile' ][ 'id' ] . " ' " ;
mysql_query ( $query );
2004-10-16 14:45:32 +00:00
if ( $_SESSION [ 'profile' ][ 'language' ] == " " )
{
$query = " update `users` set `language`=' " . $_SESSION [ '_config' ][ 'language' ] . " '
where `id` = '".$_SESSION[' profile '][' id ']."' " ;
mysql_query ( $query );
2004-10-16 15:11:25 +00:00
} else {
$_SESSION [ '_config' ][ 'language' ] = $_SESSION [ 'profile' ][ 'language' ];
putenv ( " LANG= " . $_SESSION [ '_config' ][ 'language' ]);
setlocale ( LC_ALL , $_SESSION [ '_config' ][ 'language' ]);
$domain = 'messages' ;
2006-02-03 18:45:23 +00:00
bindtextdomain ( " $domain " , $_SESSION [ '_config' ][ 'filepath' ] . " /locale " );
2004-10-16 15:11:25 +00:00
textdomain ( " $domain " );
2004-10-16 14:45:32 +00:00
}
2004-10-16 00:28:17 +00:00
$query = " select sum(`points`) as `total` from `notary` where `to`=' " . $_SESSION [ 'profile' ][ 'id' ] . " ' group by `to` " ;
$res = mysql_query ( $query );
$row = mysql_fetch_assoc ( $res );
$_SESSION [ 'profile' ][ 'points' ] = $row [ 'total' ];
$_SESSION [ 'profile' ][ 'loggedin' ] = 1 ;
2005-07-01 14:33:30 +00:00
if ( $_SESSION [ 'profile' ][ 'Q1' ] == " " || $_SESSION [ 'profile' ][ 'Q2' ] == " " ||
$_SESSION [ 'profile' ][ 'Q3' ] == " " || $_SESSION [ 'profile' ][ 'Q4' ] == " " ||
$_SESSION [ 'profile' ][ 'Q5' ] == " " )
{
$_SESSION [ '_config' ][ 'errmsg' ] .= _ ( " For your own security you must enter 5 lost password questions and answers. " ) . " <br> " ;
$_SESSION [ '_config' ][ 'oldlocation' ] = " account.php?id=13 " ;
}
2004-10-16 00:28:17 +00:00
if ( $_SESSION [ '_config' ][ 'oldlocation' ] != " " )
header ( " location: https:// " . $_SERVER [ 'HTTP_HOST' ] . " / " . $_SESSION [ '_config' ][ 'oldlocation' ]);
else
header ( " location: https:// " . $_SERVER [ 'HTTP_HOST' ] . " /account.php " );
exit ;
}
2006-08-14 08:19:38 +00:00
$query = " select * from `users` where `email`=' $email ' and (`password`=old_password(' $pword ') or `password`=sha1(' $pword ') or
`password` = password ( '$pword' )) and `verified` = 0 and `deleted` = 0 " ;
$res = mysql_query ( $query );
if ( mysql_num_rows ( $res ) <= 0 )
{
$_SESSION [ '_config' ][ 'errmsg' ] = _ ( " Incorrect email address and/or Pass Phrase. " );
} else {
$_SESSION [ '_config' ][ 'errmsg' ] = _ ( " Your account has not been verified yet, please check your email account for the signup messages. " );
}
2004-10-16 00:28:17 +00:00
}
2006-11-23 22:22:31 +00:00
if ( $process && $oldid == 1 )
2004-10-16 00:28:17 +00:00
{
$id = 2 ;
2006-11-23 22:22:31 +00:00
$oldid = 0 ;
2004-10-16 00:28:17 +00:00
$_SESSION [ '_config' ][ 'errmsg' ] = " " ;
2006-04-30 08:30:54 +00:00
$_SESSION [ 'signup' ][ 'email' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'email' ]))));
2006-05-01 14:45:38 +00:00
$_SESSION [ 'signup' ][ 'fname' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'fname' ]))));
$_SESSION [ 'signup' ][ 'mname' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'mname' ]))));
$_SESSION [ 'signup' ][ 'lname' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'lname' ]))));
$_SESSION [ 'signup' ][ 'suffix' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'suffix' ]))));
$_SESSION [ 'signup' ][ 'day' ] = intval ( $_REQUEST [ 'day' ]);
$_SESSION [ 'signup' ][ 'month' ] = intval ( $_REQUEST [ 'month' ]);
$_SESSION [ 'signup' ][ 'year' ] = intval ( $_REQUEST [ 'year' ]);
$_SESSION [ 'signup' ][ 'pword1' ] = trim ( mysql_escape_string ( stripslashes ( $_REQUEST [ 'pword1' ])));
$_SESSION [ 'signup' ][ 'pword2' ] = trim ( mysql_escape_string ( stripslashes ( $_REQUEST [ 'pword2' ])));
$_SESSION [ 'signup' ][ 'Q1' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'Q1' ]))));
$_SESSION [ 'signup' ][ 'Q2' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'Q2' ]))));
$_SESSION [ 'signup' ][ 'Q3' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'Q3' ]))));
$_SESSION [ 'signup' ][ 'Q4' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'Q4' ]))));
$_SESSION [ 'signup' ][ 'Q5' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'Q5' ]))));
$_SESSION [ 'signup' ][ 'A1' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'A1' ]))));
$_SESSION [ 'signup' ][ 'A2' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'A2' ]))));
$_SESSION [ 'signup' ][ 'A3' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'A3' ]))));
$_SESSION [ 'signup' ][ 'A4' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'A4' ]))));
$_SESSION [ 'signup' ][ 'A5' ] = trim ( mysql_escape_string ( stripslashes ( strip_tags ( $_REQUEST [ 'A5' ]))));
$_SESSION [ 'signup' ][ 'general' ] = intval ( $_REQUEST [ 'general' ]);
$_SESSION [ 'signup' ][ 'country' ] = intval ( $_REQUEST [ 'country' ]);
$_SESSION [ 'signup' ][ 'regional' ] = intval ( $_REQUEST [ 'regional' ]);
$_SESSION [ 'signup' ][ 'radius' ] = intval ( $_REQUEST [ 'radius' ]);
2004-10-16 00:28:17 +00:00
2006-08-16 17:25:19 +00:00
if ( $_SESSION [ 'signup' ][ 'Q1' ] == $_SESSION [ 'signup' ][ 'Q2' ] ||
$_SESSION [ 'signup' ][ 'Q1' ] == $_SESSION [ 'signup' ][ 'Q3' ] ||
$_SESSION [ 'signup' ][ 'Q1' ] == $_SESSION [ 'signup' ][ 'Q4' ] ||
$_SESSION [ 'signup' ][ 'Q1' ] == $_SESSION [ 'signup' ][ 'Q5' ] ||
$_SESSION [ 'signup' ][ 'Q2' ] == $_SESSION [ 'signup' ][ 'Q3' ] ||
$_SESSION [ 'signup' ][ 'Q2' ] == $_SESSION [ 'signup' ][ 'Q4' ] ||
$_SESSION [ 'signup' ][ 'Q2' ] == $_SESSION [ 'signup' ][ 'Q5' ] ||
$_SESSION [ 'signup' ][ 'Q3' ] == $_SESSION [ 'signup' ][ 'Q4' ] ||
$_SESSION [ 'signup' ][ 'Q3' ] == $_SESSION [ 'signup' ][ 'Q5' ] ||
$_SESSION [ 'signup' ][ 'Q4' ] == $_SESSION [ 'signup' ][ 'Q5' ] ||
$_SESSION [ 'signup' ][ 'A1' ] == $_SESSION [ 'signup' ][ 'Q1' ] ||
$_SESSION [ 'signup' ][ 'A1' ] == $_SESSION [ 'signup' ][ 'Q2' ] ||
$_SESSION [ 'signup' ][ 'A1' ] == $_SESSION [ 'signup' ][ 'Q3' ] ||
$_SESSION [ 'signup' ][ 'A1' ] == $_SESSION [ 'signup' ][ 'Q4' ] ||
$_SESSION [ 'signup' ][ 'A1' ] == $_SESSION [ 'signup' ][ 'Q5' ] ||
$_SESSION [ 'signup' ][ 'A2' ] == $_SESSION [ 'signup' ][ 'Q3' ] ||
$_SESSION [ 'signup' ][ 'A2' ] == $_SESSION [ 'signup' ][ 'Q4' ] ||
$_SESSION [ 'signup' ][ 'A2' ] == $_SESSION [ 'signup' ][ 'Q5' ] ||
$_SESSION [ 'signup' ][ 'A3' ] == $_SESSION [ 'signup' ][ 'Q4' ] ||
$_SESSION [ 'signup' ][ 'A3' ] == $_SESSION [ 'signup' ][ 'Q5' ] ||
$_SESSION [ 'signup' ][ 'A4' ] == $_SESSION [ 'signup' ][ 'Q5' ] ||
$_SESSION [ 'signup' ][ 'A1' ] == $_SESSION [ 'signup' ][ 'A2' ] ||
$_SESSION [ 'signup' ][ 'A1' ] == $_SESSION [ 'signup' ][ 'A3' ] ||
$_SESSION [ 'signup' ][ 'A1' ] == $_SESSION [ 'signup' ][ 'A4' ] ||
$_SESSION [ 'signup' ][ 'A1' ] == $_SESSION [ 'signup' ][ 'A5' ] ||
$_SESSION [ 'signup' ][ 'A2' ] == $_SESSION [ 'signup' ][ 'A3' ] ||
$_SESSION [ 'signup' ][ 'A2' ] == $_SESSION [ 'signup' ][ 'A4' ] ||
$_SESSION [ 'signup' ][ 'A2' ] == $_SESSION [ 'signup' ][ 'A5' ] ||
$_SESSION [ 'signup' ][ 'A3' ] == $_SESSION [ 'signup' ][ 'A4' ] ||
$_SESSION [ 'signup' ][ 'A3' ] == $_SESSION [ 'signup' ][ 'A5' ] ||
$_SESSION [ 'signup' ][ 'A4' ] == $_SESSION [ 'signup' ][ 'A5' ])
{
$id = 1 ;
$_SESSION [ '_config' ][ 'errmsg' ] .= _ ( " For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer. " ) . " <br> \n " ;
}
2005-07-14 19:56:28 +00:00
if ( $_SESSION [ 'signup' ][ 'Q1' ] == " " || $_SESSION [ 'signup' ][ 'Q2' ] == " " ||
$_SESSION [ 'signup' ][ 'Q3' ] == " " || $_SESSION [ 'signup' ][ 'Q4' ] == " " ||
$_SESSION [ 'signup' ][ 'Q5' ] == " " )
{
$id = 1 ;
$_SESSION [ '_config' ][ 'errmsg' ] .= _ ( " For your own security you must enter 5 lost password questions and answers. " ) . " <br> \n " ;
}
2004-10-16 00:28:17 +00:00
if ( $_SESSION [ 'signup' ][ 'fname' ] == " " || $_SESSION [ 'signup' ][ 'lname' ] == " " )
{
$id = 1 ;
$_SESSION [ '_config' ][ 'errmsg' ] .= _ ( " First and/or last names were blank. " ) . " <br> \n " ;
}
if ( $_SESSION [ 'signup' ][ 'year' ] < 1900 || $_SESSION [ 'signup' ][ 'month' ] < 1 || $_SESSION [ 'signup' ][ 'month' ] > 12 ||
$_SESSION [ 'signup' ][ 'day' ] < 1 || $_SESSION [ 'signup' ][ 'day' ] > 31 )
{
$id = 1 ;
$_SESSION [ '_config' ][ 'errmsg' ] .= _ ( " Invalid date of birth " ) . " <br> \n " ;
}
if ( $_SESSION [ 'signup' ][ 'email' ] == " " )
{
$id = 1 ;
$_SESSION [ '_config' ][ 'errmsg' ] .= _ ( " Email Address was blank " ) . " <br> \n " ;
}
if ( $_SESSION [ 'signup' ][ 'pword1' ] == " " )
{
$id = 1 ;
$_SESSION [ '_config' ][ 'errmsg' ] .= _ ( " Pass Phrases were blank " ) . " <br> \n " ;
}
if ( $_SESSION [ 'signup' ][ 'pword1' ] != $_SESSION [ 'signup' ][ 'pword2' ])
{
$id = 1 ;
$_SESSION [ '_config' ][ 'errmsg' ] .= _ ( " Pass Phrases don't match " ) . " <br> \n " ;
}
$score = checkpw ( $_SESSION [ 'signup' ][ 'pword1' ], $_SESSION [ 'signup' ][ 'email' ], $_SESSION [ 'signup' ][ 'fname' ], $_SESSION [ 'signup' ][ 'mname' ], $_SESSION [ 'signup' ][ 'lname' ], $_SESSION [ 'signup' ][ 'suffix' ]);
if ( $score < 3 )
{
$id = 1 ;
$_SESSION [ '_config' ][ 'errmsg' ] = _ ( " The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored $score points out of 6. " );
}
2005-05-13 15:34:39 +00:00
if ( $id == 2 )
{
$query = " select * from `email` where `email`=' " . $_SESSION [ 'signup' ][ 'email' ] . " ' and `deleted`=0 " ;
$res1 = mysql_query ( $query );
$query = " select * from `users` where `email`=' " . $_SESSION [ 'signup' ][ 'email' ] . " ' and `deleted`=0 " ;
$res2 = mysql_query ( $query );
if ( mysql_num_rows ( $res1 ) > 0 || mysql_num_rows ( $res2 ) > 0 )
{
$id = 1 ;
$_SESSION [ '_config' ][ 'errmsg' ] .= _ ( " This email address is currently valid in the system. " ) . " <br> \n " ;
}
2006-02-03 18:45:23 +00:00
$query = " select `domain` from `baddomains` where `domain`=RIGHT(' " . $_SESSION [ 'signup' ][ 'email' ] . " ', LENGTH(`domain`)) " ;
$res = mysql_query ( $query );
if ( mysql_num_rows ( $res ) > 0 )
{
$domain = mysql_fetch_assoc ( $res );
$domain = $domain [ 'domain' ];
$id = 1 ;
$_SESSION [ '_config' ][ 'errmsg' ] .= sprintf ( _ ( " We don't allow signups from people using email addresses from %s " ), $domain ) . " <br> \n " ;
}
2005-05-13 15:34:39 +00:00
}
2004-10-16 00:28:17 +00:00
2005-07-01 13:12:14 +00:00
if ( $id == 2 )
2004-10-16 00:28:17 +00:00
{
2005-07-01 13:12:14 +00:00
$checkemail = checkEmail ( $_SESSION [ 'signup' ][ 'email' ]);
2006-08-12 19:39:00 +00:00
if ( $checkemail != " OK " )
2005-07-01 13:12:14 +00:00
{
$id = 1 ;
2007-07-30 18:41:43 +00:00
if ( substr ( $checkemail , 0 , 1 ) == " 4 " )
{
$_SESSION [ '_config' ][ 'errmsg' ] .= _ ( " The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as \" greylisting \" . Please try again in a few minutes. " );
} else {
$_SESSION [ '_config' ][ 'errmsg' ] .= _ ( " Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid " );
}
$_SESSION [ '_config' ][ 'errmsg' ] .= " <br> \n $checkemail <br> \n " ;
2005-07-01 13:12:14 +00:00
}
2004-10-16 00:28:17 +00:00
}
if ( $id == 2 )
{
2006-04-30 08:30:54 +00:00
$hash = make_hash ();
2004-10-16 00:28:17 +00:00
$query = " insert into `users` set `email`=' " . $_SESSION [ 'signup' ][ 'email' ] . " ',
2006-02-03 18:45:23 +00:00
`password` = sha1 ( '".$_SESSION[' signup '][' pword1 ']."' ),
2004-10-16 00:28:17 +00:00
`fname` = '".$_SESSION[' signup '][' fname ']."' ,
`mname` = '".$_SESSION[' signup '][' mname ']."' ,
`lname` = '".$_SESSION[' signup '][' lname ']."' ,
`suffix` = '".$_SESSION[' signup '][' suffix ']."' ,
`dob` = '".$_SESSION[' signup '][' year ']."-".$_SESSION[' signup '][' month ']."-".$_SESSION[' signup '][' day ']."' ,
`Q1` = '".$_SESSION[' signup '][' Q1 ']."' ,
`Q2` = '".$_SESSION[' signup '][' Q2 ']."' ,
`Q3` = '".$_SESSION[' signup '][' Q3 ']."' ,
`Q4` = '".$_SESSION[' signup '][' Q4 ']."' ,
`Q5` = '".$_SESSION[' signup '][' Q5 ']."' ,
`A1` = '".$_SESSION[' signup '][' A1 ']."' ,
`A2` = '".$_SESSION[' signup '][' A2 ']."' ,
`A3` = '".$_SESSION[' signup '][' A3 ']."' ,
`A4` = '".$_SESSION[' signup '][' A4 ']."' ,
2004-10-31 00:57:08 +00:00
`A5` = '".$_SESSION[' signup '][' A5 ']."' ,
2007-02-07 13:50:54 +00:00
`created` = NOW (), `uniqueID` = SHA1 ( CONCAT ( NOW (), '$hash' )) " ;
2004-10-16 00:28:17 +00:00
mysql_query ( $query );
$memid = mysql_insert_id ();
$query = " insert into `email` set `email`=' " . $_SESSION [ 'signup' ][ 'email' ] . " ',
`hash` = '$hash' ,
`created` = NOW (),
`memid` = '$memid' " ;
mysql_query ( $query );
$emailid = mysql_insert_id ();
2004-12-30 22:16:58 +00:00
$query = " insert into `alerts` set `memid`=' $memid ',
`general` = '".$_SESSION[' signup '][' general ']."' ,
`country` = '".$_SESSION[' signup '][' country ']."' ,
`regional` = '".$_SESSION[' signup '][' regional ']."' ,
`radius` = '".$_SESSION[' signup '][' radius ']."' " ;
mysql_query ( $query );
2004-10-16 00:28:17 +00:00
$body = _ ( " Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content! " ) . " \n \n " ;
2004-12-07 13:21:06 +00:00
$body .= " http:// " . $_SESSION [ '_config' ][ 'normalhostname' ] . " /verify.php?type=email&emailid= $emailid &hash= $hash\n\n " ;
2004-10-16 00:28:17 +00:00
$body .= _ ( " Best regards " ) . " \n " . _ ( " CAcert.org Support! " );
2005-05-23 01:53:59 +00:00
sendmail ( $_SESSION [ 'signup' ][ 'email' ], " [CAcert.org] " . _ ( " Mail Probe " ), $body , " support@cacert.org " , " " , " " , " CAcert Support " );
2005-11-08 10:06:04 +00:00
foreach ( $_SESSION [ 'signup' ] as $key => $val )
$_SESSION [ 'signup' ][ $key ] = " " ;
unset ( $_SESSION [ 'signup' ]);
2004-10-16 00:28:17 +00:00
}
}
2006-11-23 22:22:31 +00:00
if ( $oldid == 11 && $process != " " )
2004-10-16 00:28:17 +00:00
{
2005-07-01 13:12:14 +00:00
$who = stripslashes ( $who );
2006-02-03 18:45:23 +00:00
$email = stripslashes ( $_REQUEST [ 'email' ]);
2005-07-01 13:12:14 +00:00
$subject = stripslashes ( $subject );
$message = stripslashes ( $message );
2006-12-09 00:23:15 +00:00
$secrethash = $_REQUEST [ 'secrethash2' ];
2006-11-23 22:22:31 +00:00
if ( $_SESSION [ '_config' ][ 'secrethash' ] != $secrethash || $secrethash == " " || $_SESSION [ '_config' ][ 'secrethash' ] == " " ||
strstr ( $subject , " botmetka " ) || strstr ( $subject , " servermetka " ))
{
$id = $oldid ;
$process = " " ;
$_SESSION [ '_config' ][ 'errmsg' ] = _ ( " This seems like potential spam, or you have cookies disabled, cannot continue. " );
$oldid = 0 ;
$message = " From: $who\nEmail : $email\nSubject : $subject\n\nMessage : \n " . $message ;
sendmail ( " support@cacert.org " , " [CAcert.org] Possible SPAM " , $message , $email , " " , " " , " CAcert Support " );
echo " Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br> " ;
echo " This seems like potential spam, or you have cookies disabled, cannot continue. " ;
die ;
}
2004-10-16 00:28:17 +00:00
if ( $who == " " || $email == " " || $subject == " " || $message == " " )
{
2006-11-23 22:22:31 +00:00
$id = $oldid ;
$process = " " ;
2004-10-16 00:28:17 +00:00
$_SESSION [ '_config' ][ 'errmsg' ] = _ ( " All fields are mandatory. " ) . " <br> \n " ;
2006-11-23 22:22:31 +00:00
$oldid = 0 ;
2004-10-16 00:28:17 +00:00
}
}
2006-11-23 22:22:31 +00:00
if ( $oldid == 11 && $process != " " && $_REQUEST [ 'support' ] != " yes " )
2004-10-16 00:28:17 +00:00
{
$message = " From: $who\nEmail : $email\nSubject : $subject\n\nMessage : \n " . $message ;
2005-05-23 01:53:59 +00:00
sendmail ( " support@cacert.org " , " [CAcert.org] " . $subject , $message , $email , " " , " " , " CAcert Support " );
2004-10-16 00:28:17 +00:00
showheader ( _ ( " Welcome to CAcert.org " ));
echo _ ( " Your message has been sent. " );
showfooter ();
exit ;
}
2006-11-23 22:22:31 +00:00
if ( $oldid == 11 && $process != " " && $_REQUEST [ 'support' ] == " yes " )
2004-11-30 23:31:18 +00:00
{
$message = " From: $who\nEmail : $email\nSubject : $subject\n\nMessage : \n " . $message ;
2006-11-23 22:22:31 +00:00
sendmail ( " cacert-support@lists.cacert.org " , " [website form email]: " . $subject , $message , " website-form@cacert.org " , " cacert-support@lists.cacert.org, $email " , " " , " CAcert-Website " );
2004-11-30 23:31:18 +00:00
showheader ( _ ( " Welcome to CAcert.org " ));
echo _ ( " Your message has been sent to the general support list. " );
showfooter ();
exit ;
}
2004-10-16 00:28:17 +00:00
if ( $_SESSION [ 'signup' ][ 'year' ] < 1900 )
$_SESSION [ 'signup' ][ 'year' ] = " 19XX " ;
showheader ( _ ( " Welcome to CAcert.org " ));
includeit ( $id );
showfooter ();
?>