This file is part of CAcert. CAcert has been released under a CAcert Source license which can be found included with these source files or can be downloaded from the internet from the following address: http://www.cacert.org/src-lic.php CAcert is distributed WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the License for more details. */ require_once("../includes/loggedin.php"); loadem("account"); if($process != "" && $oldid == 1) { $id = 1; if(trim(mysql_escape_string(stripslashes($newemail))) == "") { showheader(_("My CAcert.org Account!")); printf(_("Not a valid email address. Can't continue."), $email); showfooter(); exit; } unset($oldid); $email = trim(mysql_escape_string(stripslashes($newemail))); $query = "select * from `email` where `email`='$email' and `deleted`=0"; $res = mysql_query($query); if(mysql_num_rows($res) > 0) { showheader(_("My CAcert.org Account!")); printf(_("The email address '%s' is already in the system. Can't continue."), $email); showfooter(); exit; } $rnd = fopen("/dev/urandom", "r"); $hash = md5(fgets($rnd, 64)); fclose($rnd); $query = "insert into `email` set `email`='$email',`memid`='".$_SESSION['profile']['id']."',`created`=NOW(),`hash`='$hash'"; mysql_query($query); $emailid = mysql_insert_id(); $body = _("Below is the link you need to open to verify your email address. Once your address is verified you will be able to start issuing certificates till your hearts' content!")."\n\n"; $body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n"; $body .= _("Best regards")."\n"._("CAcert.org Support!"); mail($email, "[CAcert.org] "._("Email Probe"), $body, "From: CAcacert-Support "); showheader(_("My CAcert.org Account!")); printf(_("The email address '%s' has been added to the system, however before any certificates for this can be issued you need to open the link in a browser that has been sent to your email address."), $email); showfooter(); exit; } if($makedefault != "" && $oldid == 2) { $id = 2; $emailid = intval($emailid); $query = "select * from `email` where `id`='$emailid' and `memid`='".$_SESSION['profile']['id']."' and `hash` = '' and `deleted`=0"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { showheader(_("Error!")); echo _("You currently don't have access to the email address you selected, or you haven't verified it yet."); showfooter(); exit; } $row = mysql_fetch_assoc($res); $_SESSION['profile']['email'] = $row['email']; $query = "update `users` set `email`='".$row['email']."' where `id`='".$_SESSION['profile']['id']."'"; mysql_query($query); showheader(_("My CAcert.org Account!")); printf(_("Your default email address has been updated to '%s'."), $row['email']); showfooter(); exit; } if($process != "" && $oldid == 2) { $id = 2; showheader(_("My CAcert.org Account!")); echo _("The following accounts have been removed:")."
\n"; if(is_array($delid)) foreach($delid as $id) { $id = intval($id); $query = "select * from `email` where `id`='$id' and `memid`='".$_SESSION['profile']['id']."' and `email`!='".$_SESSION['profile']['email']."'"; $res = mysql_query($query); if(mysql_num_rows($res) > 0) { $row = mysql_fetch_assoc($res); echo $row['email']."
\n"; $query = "select `emailcerts`.`id` from `emaillink`,`emailcerts` where `emailid`='$id' and `emaillink`.`emailcertsid`=`emailcerts`.`id` and `revoked`=0 and UNIX_TIMESTAMP(`expire`)-UNIX_TIMESTAMP() > 0 group by `emailcerts`.`id`"; $dres = mysql_query($query); while($drow = mysql_fetch_assoc($dres)) mysql_query("update `emailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$drow['id']."'"); $query = "update `email` set `deleted`=NOW() where `id`='$id'"; mysql_query($query); } } showfooter(); exit; } if($process != "" && $oldid == 3) { if(!is_array($addid)) { showheader(_("My CAcert.org Account!")); echo _("I didn't receive a valid Certificate Request, hit the back button and try again."); showfooter(); exit; } $_SESSION['_config']['addid'] = $addid; if($_SESSION['profile']['points'] >= 50) $_SESSION['_config']['incname'] = intval($incname); $id = 4; } if($oldid == 4) { if($_POST['keytype'] == "NS") { if($_POST['SPKAC'] == "" || $_POST['SPKAC'] == "deadbeef") { $id = 4; showheader(_("My CAcert.org Account!")); echo _("I didn't receive a valid Certificate Request, hit the back button and try again."); showfooter(); exit; } $emailcount = 0; $emails = ""; $addys = array(); if(is_array($_SESSION['_config']['addid'])) foreach($_SESSION['_config']['addid'] as $id) { $res = mysql_query("select * from `email` where `memid`='".$_SESSION['profile']['id']."' and `id`='$id'"); if(mysql_num_rows($res) > 0) { $row = mysql_fetch_assoc($res); if(!$emails) $defaultemail = $row['email']; $emails .= "$emailcount.emailAddress = ".$row['email']."\n"; $emailcount++; $addys[] = $row['id']; } } if($emailcount <= 0) { $id = 4; showheader(_("My CAcert.org Account!")); echo _("You submitted invalid email addresses, or email address you no longer have control of. Can't continue with certificate request."); showfooter(); exit; } if($_SESSION['_config']['incname'] <= 0 || $_SESSION['_config']['incname'] > 4) $emails .= "commonName = CAcert WoT User\n"; if($_SESSION['_config']['incname'] == 1) $emails .= "commonName = ".$_SESSION['profile']['fname']." ".$_SESSION['profile']['lname']."\n"; if($_SESSION['_config']['incname'] == 2) $emails .= "commonName = ".$_SESSION['profile']['fname']." ".$_SESSION['profile']['mname']." ".$_SESSION['profile']['lname']."\n"; if($_SESSION['_config']['incname'] == 3) $emails .= "commonName = ".$_SESSION['profile']['fname']." ".$_SESSION['profile']['lname']." ".$_SESSION['profile']['suffix']."\n"; if($_SESSION['_config']['incname'] == 4) $emails .= "commonName = ".$_SESSION['profile']['fname']." ".$_SESSION['profile']['mname']." ".$_SESSION['profile']['lname']." ".$_SESSION['profile']['suffix']."\n"; $emails .= "SPKAC = ".str_replace("\n", "", str_replace("\r", "", $_POST['SPKAC'])); $query = "insert into `emailcerts` set `CN`='$defaultemail', `keytype`='NS', `memid`='".$_SESSION['profile']['id']."', `created`=FROM_UNIXTIME(UNIX_TIMESTAMP())"; mysql_query($query); $emailid = mysql_insert_id(); if(is_array($addys)) foreach($addys as $addy) mysql_query("insert into `emaillink` set `emailcertsid`='$emailid', `emailid`='$addy'"); $CSRname = $_SESSION['_config']['filepath']."/csr/client-$emailid.csr"; $fp = fopen($CSRname, "w"); fputs($fp, $emails); fclose($fp); mysql_query("update `emailcerts` set `csr_name`='$CSRname' where `id`='$emailid'"); } else if($_POST['keytype'] == "MS") { $csr = "-----BEGIN CERTIFICATE REQUEST-----\n".$CSR."-----END CERTIFICATE REQUEST-----\n"; $tmpfname = tempnam("/tmp", "CSR"); $fp = fopen($tmpfname, "w"); fputs($fp, $csr); fclose($fp); $addys = array(); $defaultemail = ""; if($_SESSION['_config']['incname'] <= 0 || $_SESSION['_config']['incname'] > 4) $csrsubject = "/CN=CAcert WoT User"; if($_SESSION['_config']['incname'] == 1) $csrsubject = "/CN=".$_SESSION['profile']['fname']." ".$_SESSION['profile']['lname']; if($_SESSION['_config']['incname'] == 2) $csrsubject = "/CN = ".$_SESSION['profile']['fname']." ".$_SESSION['profile']['mname']." ".$_SESSION['profile']['lname']."\n"; if($_SESSION['_config']['incname'] == 3) $csrsubject = "/CN = ".$_SESSION['profile']['fname']." ".$_SESSION['profile']['lname']." ".$_SESSION['profile']['suffix']."\n"; if($_SESSION['_config']['incname'] == 4) $csrsubject = "/CN = ".$_SESSION['profile']['fname']." ".$_SESSION['profile']['mname']." ".$_SESSION['profile']['lname']." ".$_SESSION['profile']['suffix']."\n"; if(is_array($_SESSION['_config']['addid'])) foreach($_SESSION['_config']['addid'] as $id) { $res = mysql_query("select * from `email` where `memid`='".$_SESSION['profile']['id']."' and `id`='$id'"); if(mysql_num_rows($res) > 0) { $row = mysql_fetch_assoc($res); if($defaultemail == "") $defaultemail = $row['email']; $csrsubject .= "/emailAddress=".$row['email']; $addys[] = $row['id']; } } $tmpname = tempnam("/tmp", "CSR"); $do = `/usr/bin/openssl req -in $tmpfname -out $tmpname`; // -subj "$csr"`; @unlink($tmpfname); $csr = ""; $fp = fopen($tmpname, "r"); while($data = fgets($fp, 4096)) $csr .= $data; fclose($fp); @unlink($tmpname); if($csr == "") { $id = 4; showheader(_("My CAcert.org Account!")); echo _("I didn't receive a valid Certificate Request, hit the back button and try again."); showfooter(); exit; } $query = "insert into `emailcerts` set `CN`='$defaultemail', `keytype`='MS', `memid`='".$_SESSION['profile']['id']."', `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()), `subject`='$csrsubject'"; mysql_query($query); $emailid = mysql_insert_id(); if(is_array($addys)) foreach($addys as $addy) mysql_query("insert into `emaillink` set `emailcertsid`='$emailid', `emailid`='$addy'"); $CSRname = $_SESSION['_config']['filepath']."/csr/client-$emailid.csr"; $fp = fopen($CSRname, "w"); fputs($fp, $csr); fclose($fp); mysql_query("update `emailcerts` set `csr_name`='$CSRname' where `id`='$emailid'"); } $do = `../scripts/runclient`; $query = "select * from `emailcerts` where `id`='$emailid' and `crt_name` != ''"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { $id = 4; showheader(_("My CAcert.org Account!")); echo _("Your certificate request has failed to be processed correctly, please try submitting it again."); showfooter(); exit; } else { $id = 6; $cert = $emailid; } } if($oldid == 7) { $newdomain = trim(mysql_escape_string(stripslashes($newdomain))); $res1 = mysql_query("select * from `orgdomains` where `domain`='$newdomain'"); $query = "select * from `domains` where `domain`='".$newdomain."' and `deleted`=0"; $res2 = mysql_query($query); if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2)) { $id = $oldid; unset($oldid); $id = 7; showheader(_("My CAcert.org Account!")); printf(_("The domain '%s' is already in the system and is listed as valid. Can't continue."), $newdomain); showfooter(); exit; } } if($oldid == 7) { unset($oldid); $id = 8; $addy = array(); $adds = explode("\n", trim(`whois $newdomain|grep \@`)); if(substr($newdomain, -4) == ".org" || substr($newdomain, -5) == ".info") { if(is_array($adds)) foreach($adds as $line) { $bits = explode(":", $line, 2); $line = trim($bits[1]); if(!in_array($line, $addy) && $line != "") $addy[] = $line; } } else { if(is_array($adds)) foreach($adds as $line) { $line = trim(str_replace("\t", " ", $line)); $bits = explode(" ", $line); foreach($bits as $bit) { if(strstr($bit, "@")) $line = $bit; } if(!in_array($line, $addy) && $line != "") $addy[] = $line; } } $rfc = array("root@$newdomain", "hostmaster@$newdomain", "postmaster@$newdomain", "admin@$newdomain", "webmaster@$newdomain"); foreach($rfc as $sub) if(!in_array($sub, $addy)) $addy[] = $sub; $_SESSION['_config']['addy'] = $addy; $_SESSION['_config']['domain'] = $newdomain; } if($process != "" && $oldid == 8) { unset($oldid); $id = 8; $authaddy = trim(mysql_escape_string(stripslashes($_POST['authaddy']))); if(!in_array($authaddy, $_SESSION['_config']['addy']) || $authaddy == "") { showheader(_("My CAcert.org Account!")); echo _("The address you submitted isn't a valid authority address for the domain."); showfooter(); exit; } $query = "select * from `domains` where `domain`='".$_SESSION['_config']['domain']."' and `deleted`=0"; $res = mysql_query($query); if(mysql_num_rows($res) > 0) { showheader(_("My CAcert.org Account!")); printf(_("The domain '%s' is already in the system and is listed as valid. Can't continue."), $_SESSION['_config']['domain']); showfooter(); exit; } $rnd = fopen("/dev/urandom", "r"); $hash = md5(fgets($rnd, 64)); fclose($rnd); $query = "insert into `domains` set `domain`='".$_SESSION['_config']['domain']."', `memid`='".$_SESSION['profile']['id']."',`created`=NOW(),`hash`='$hash'"; mysql_query($query); $domainid = mysql_insert_id(); $body = _("Below is the link you need to open to verify your email address. Once your address is verified you will be able to start issuing certificates till your hearts' content!")."\n\n"; $body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=domain&domainid=$domainid&hash=$hash\n\n"; $body .= _("Best regards")."\n"._("CAcert.org Support!"); mail($authaddy, "[CAcert.org] "._("Email Probe"), $body, "From: CAcert-Support "); showheader(_("My CAcert.org Account!")); printf(_("The domain '%s' has been added to the system, however before any certificates for this can be issued you need to open the link in a browser that has been sent to your email address."), $_SESSION['_config']['domain']); showfooter(); exit; } if($process != "" && $oldid == 9) { $id = 9; showheader(_("My CAcert.org Account!")); echo _("The following domains have been removed:")."
("._("Any valid certificates will be revoked as well").")
\n"; if(is_array($delid)) foreach($delid as $id) { $id = intval($id); $query = "select * from `domains` where `id`='$id' and `memid`='".$_SESSION['profile']['id']."'"; $res = mysql_query($query); if(mysql_num_rows($res) > 0) { $row = mysql_fetch_assoc($res); echo $row['domain']."
\n"; mysql_query("update `domains` set `deleted`=NOW() where `id`='$id'"); $dres = mysql_query("select * from `domaincerts` where `domid`='$id' and `expire`=0"); while($drow = mysql_fetch_assoc($dres)) { @unlink($row['csr_name']); @unlink($row['crt_name']); mysql_query("delete from `domaincerts` where `id`='".$drow['id']."'"); } mysql_query("update `domaincerts` set `revoked`='1970-01-01 10:00:01' where `domid`='$id' and `revoked`=0 and UNIX_TIMESTAMP(`expire`)-UNIX_TIMESTAMP() > 0"); } } showfooter(); exit; } if($process != "" && $oldid == 10) { $CSR = trim($CSR); $_SESSION['_config']['CSR'] = $CSR; $_SESSION['_config']['subject'] = trim(`echo "$CSR"|/usr/bin/openssl req -text|grep Subject:`); $id = 11; extractit(); getcn(); getalt(); if($_SESSION['_config']["0.CN"] == "") { showheader(_("My CAcert.org Account!")); echo _("CommonName field was blank. Can't continue."); showfooter(); exit; } } if($process != "" && $oldid == 11) { $CSR = $_SESSION['_config']['CSR']; $_SESSION['_config']['subject'] = trim(`echo "$CSR"|/usr/bin/openssl req -text|grep Subject:`); $id = 11; extractit(); getcn(); getalt(); if($_SESSION['_config']["0.CN"] == "") { showheader(_("My CAcert.org Account!")); echo _("CommonName field was blank. Can't continue."); showfooter(); exit; } $query = "insert into `domaincerts` set `CN`='".$_SESSION['_config']["0.CN"]."', `domid`='".$_SESSION['_config']['row']['id']."', `created`=NOW()"; mysql_query($query); $CSRid = mysql_insert_id(); foreach($_SESSION['_config']['rowid'] as $dom) mysql_query("insert into `domlink` set `certid`='$CSRid', `domid`='$dom'"); if(is_array($_SESSION['_config']['altid'])) foreach($_SESSION['_config']['altid'] as $dom) mysql_query("insert into `domlink` set `certid`='$CSRid', `domid`='$dom'"); $CSRname = $_SESSION['_config']['filepath']."/csr/server-$CSRid.csr"; $fp = fopen($CSRname, "w"); fputs($fp, $_SESSION['_config']['CSR']); fclose($fp); mysql_query("update `domaincerts` set `CSR_name`='$CSRname' where `id`='$CSRid'"); $do = `../scripts/runserver`; $query = "select * from `domaincerts` where `id`='$CSRid' and `crt_name` != ''"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { showheader(_("My CAcert.org Account!")); echo _("Your certificate request has failed to be processed correctly, please try submitting it again."); showfooter(); exit; } else { $id = 15; $cert = $CSRid; } } if($oldid == 12 && $renew != "") { $id = 12; showheader(_("My CAcert.org Account!")); if(is_array($revokeid)) { echo _("Now renewing the following certificates:")."
\n"; foreach($revokeid as $id) { $id = intval($id); $query = "select *,UNIX_TIMESTAMP(`domaincerts`.`revoked`) as `revoke` from `domaincerts`,`domains` where `domaincerts`.`id`='$id' and `domaincerts`.`domid`=`domains`.`id` and `domains`.`memid`='".$_SESSION['profile']['id']."'"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
\n", $id); continue; } $row = mysql_fetch_assoc($res); if($row[revoke] > 0) { printf(_("It would seem '%s' has already been revoked. I'll skip this for now.")."
\n", $row['CN']); continue; } $query = "insert into `domaincerts` set `domid`='".$row['domid']."', `CN`='".$row['CN']."', `csr_name`='".$row['csr_name']."', `created`='".$row['created']."', `modified`=NOW()"; mysql_query($query); $newid = mysql_insert_id(); $newfile = $_SESSION['_config']['filepath']."/csr/server-$newid.csr"; copy($row['csr_name'], $newfile); mysql_query("update `domaincerts` set `csr_name`='$newfile' where `id`='$newid'"); echo _("Renewing").": ".$row['CN']."
\n"; $do = `../scripts/runserver`; $query = "select * from `domaincerts` where `id`='$newid' and `crt_name` != ''"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { echo _("Your certificate request has failed to be processed correctly, please try submitting it again."); } else { $drow = mysql_fetch_assoc($res); $cert = `/usr/bin/openssl x509 -in $drow[crt_name]`; echo "
\n$cert\n
\n"; } } } showfooter(); exit; } if($oldid == 12 && $revoke != "") { $id = 12; showheader(_("My CAcert.org Account!")); if(is_array($revokeid)) { echo _("Now revoking the following certificates:")."
\n"; foreach($revokeid as $id) { $id = intval($id); $query = "select *,UNIX_TIMESTAMP(`domaincerts`.`revoked`) as `revoke` from `domaincerts`,`domains` where `domaincerts`.`id`='$id' and `domaincerts`.`domid`=`domains`.`id` and `domains`.`memid`='".$_SESSION['profile']['id']."'"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
\n", $id); continue; } $row = mysql_fetch_assoc($res); if($row[revoke] > 0) { printf(_("It would seem '%s' has already been revoked. I'll skip this for now.")."
\n", $row['CN']); continue; } mysql_query("update `domaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'"); $do = `../scripts/runserver`; printf(_("Certificate for '%s' has been revoked.")."
\n", $row['CN']); } } if(is_array($delid)) { echo _("Now deleting the following pending requests:")."
\n"; foreach($delid as $id) { $id = intval($id); $query = "select *,UNIX_TIMESTAMP(`domaincerts`.`expire`) as `expired` from `domaincerts`,`domains` where `domaincerts`.`id`='$id' and `domaincerts`.`domid`=`domains`.`id` and `domains`.`memid`='".$_SESSION['profile']['id']."'"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
\n", $id); continue; } $row = mysql_fetch_assoc($res); if($row['expired'] > 0) { printf(_("Couldn't remove the request for `%s`, request had already been processed.")."
\n", $row['CN']); continue; } mysql_query("delete from `domaincerts` where `id`='$id'"); @unlink($row['csr_name']); @unlink($row['crt_name']); printf(_("Removed a pending request for '%s'")."
\n", $row['CN']); } } showfooter(); exit; } if($oldid == 5 && $renew != "") { showheader(_("My CAcert.org Account!")); if(is_array($revokeid)) { echo _("Now renewing the following certificates:")."
\n"; foreach($revokeid as $id) { $id = intval($id); $query = "select *,UNIX_TIMESTAMP(`revoked`) as `revoke` from `emailcerts` where `id`='$id' and `memid`='".$_SESSION['profile']['id']."'"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
\n", $id); continue; } $row = mysql_fetch_assoc($res); if($row[revoke] > 0) { printf(_("It would seem '%s' has already been revoked. I'll skip this for now.")."
\n", $row['CN']); continue; } $query = "insert into `emailcerts` set `memid`='".$row['memid']."', `CN`='".$row['CN']."', `keytype`='".$row['keytype']."', `csr_name`='".$row['csr_name']."', `created`='".$row['created']."', `modified`=NOW()"; mysql_query($query); $newid = mysql_insert_id(); $newfile = $_SESSION['_config']['filepath']."/csr/client-$newid.csr"; copy($row['csr_name'], $newfile); mysql_query("update `emailcerts` set `csr_name`='$newfile' where `id`='$newid'"); $res = mysql_query("select * from `emaillink` where `emailcertsid`='".$row['id']."'"); while($r2 = mysql_fetch_assoc($res)) { mysql_query("insert into `emaillink` set `emailid`='".$r2['emailid']."', `emailcertsid`='$newid'"); } $do = `../scripts/runclient`; $query = "select * from `emailcerts` where `id`='$newid' and `crt_name` != ''"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { echo _("Your certificate request has failed to be processed correctly, please try submitting it again."); } else { printf(_("Certificate for '%s' has been renewed."), $row['CN']); echo "". _("Click here")." "._("to install your certificate."); } } } showfooter(); exit; } if($oldid == 5 && $revoke != "") { $id = 5; showheader(_("My CAcert.org Account!")); if(is_array($revokeid)) { echo _("Now revoking the following certificates:")."
\n"; foreach($revokeid as $id) { $id = intval($id); $query = "select *,UNIX_TIMESTAMP(`revoked`) as `revoke` from `emailcerts` where `id`='$id' and `memid`='".$_SESSION['profile']['id']."'"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
\n", $id); continue; } $row = mysql_fetch_assoc($res); if($row[revoke] > 0) { printf(_("It would seem '%s' has already been revoked. I'll skip this for now.")."
\n", $row['CN']); continue; } mysql_query("update `emailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'"); $do = `../scripts/runclient`; printf(_("Certificate for '%s' has been revoked.")."
\n", $row['CN']); } } if(is_array($delid)) { echo _("Now deleting the following pending requests:")."
\n"; foreach($delid as $id) { $id = intval($id); $query = "select *,UNIX_TIMESTAMP(`expire`) as `expired` from `emailcerts` where `id`='$id' and `memid`='".$_SESSION['profile']['id']."'"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
\n", $id); continue; } $row = mysql_fetch_assoc($res); if($row['expired'] > 0) { printf(_("Couldn't remove the request for `%s`, request had already been processed.")."
\n", $row['CN']); continue; } mysql_query("delete from `emailcerts` where `id`='$id'"); @unlink($row['csr_name']); @unlink($row['crt_name']); printf(_("Removed a pending request for '%s'")."
\n", $row['CN']); } } showfooter(); exit; } if($id == 13 && $_SESSION['_config']['user']['set'] != 1) { $_SESSION['_config']['user'] = $_SESSION['profile']; $_SESSION['_config']['user']['set'] = 1; } if($oldid == 13 && $process != "") { $_SESSION['_config']['user']['fname'] = trim(mysql_escape_string(stripslashes($fname))); $_SESSION['_config']['user']['mname'] = trim(mysql_escape_string(stripslashes($mname))); $_SESSION['_config']['user']['lname'] = trim(mysql_escape_string(stripslashes($lname))); $_SESSION['_config']['user']['suffix'] = trim(mysql_escape_string(stripslashes($suffix))); $_SESSION['_config']['user']['day'] = intval($day); $_SESSION['_config']['user']['month'] = intval($month); $_SESSION['_config']['user']['year'] = intval($year); $_SESSION['_config']['user']['Q1'] = trim(mysql_escape_string(stripslashes($Q1))); $_SESSION['_config']['user']['Q2'] = trim(mysql_escape_string(stripslashes($Q2))); $_SESSION['_config']['user']['Q3'] = trim(mysql_escape_string(stripslashes($Q3))); $_SESSION['_config']['user']['Q4'] = trim(mysql_escape_string(stripslashes($Q4))); $_SESSION['_config']['user']['Q5'] = trim(mysql_escape_string(stripslashes($Q5))); $_SESSION['_config']['user']['A1'] = trim(mysql_escape_string(stripslashes($A1))); $_SESSION['_config']['user']['A2'] = trim(mysql_escape_string(stripslashes($A2))); $_SESSION['_config']['user']['A3'] = trim(mysql_escape_string(stripslashes($A3))); $_SESSION['_config']['user']['A4'] = trim(mysql_escape_string(stripslashes($A4))); $_SESSION['_config']['user']['A5'] = trim(mysql_escape_string(stripslashes($A5))); if($_SESSION['profile']['points'] < 100) { if($_SESSION['_config']['user']['fname'] == "" || $_SESSION['_config']['user']['lname'] == "") { $_SESSION['_config']['errmsg'] .= _("First and Last name fields can not be blank.")."
"; $id = $oldid; unset($oldid); } if($_SESSION['_config']['user']['year'] < 1900 || $_SESSION['_config']['user']['month'] < 1 || $_SESSION['_config']['user']['month'] > 12 || $_SESSION['_config']['user']['day'] < 1 || $_SESSION['_config']['user']['day'] > 31) { $_SESSION['_config']['errmsg'] .= _("Invalid date of birth")."
\n"; $id = $oldid; unset($oldid); } } } if($oldid == 13 && $process != "") { if($_SESSION['profile']['points'] < 100) { $query = "update `users` set `fname`='".$_SESSION['_config']['user']['fname']."', `mname`='".$_SESSION['_config']['user']['mname']."', `lname`='".$_SESSION['_config']['user']['lname']."', `suffix`='".$_SESSION['_config']['user']['suffix']."', `dob`='".$_SESSION['_config']['user']['year']."-".$_SESSION['_config']['user']['month']."-".$_SESSION['_config']['user']['day']."' where `id`='".$_SESSION['profile']['id']."'"; mysql_query($query); } $query = "update `users` set `Q1`='".$_SESSION['_config']['user']['Q1']."', `Q2`='".$_SESSION['_config']['user']['Q2']."', `Q3`='".$_SESSION['_config']['user']['Q3']."', `Q4`='".$_SESSION['_config']['user']['Q4']."', `Q5`='".$_SESSION['_config']['user']['Q5']."', `A1`='".$_SESSION['_config']['user']['A1']."', `A2`='".$_SESSION['_config']['user']['A2']."', `A3`='".$_SESSION['_config']['user']['A3']."', `A4`='".$_SESSION['_config']['user']['A4']."', `A5`='".$_SESSION['_config']['user']['A5']."' where `id`='".$_SESSION['profile']['id']."'"; mysql_query($query); $_SESSION['_config']['user']['set'] = 0; $_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".$_SESSION['profile']['id']."'")); $_SESSION['profile']['loggedin'] = 1; $id = 13; showheader(_("My CAcert.org Account!")); echo _("Your details have been updated with the database."); showfooter(); exit; } if($oldid == 14 && $process != "") { $_SESSION['_config']['user']['oldpass'] = trim(mysql_escape_string(stripslashes($oldpassword))); $_SESSION['_config']['user']['pword1'] = trim(mysql_escape_string(stripslashes($pword1))); $_SESSION['_config']['user']['pword2'] = trim(mysql_escape_string(stripslashes($pword2))); $id = 14; showheader(_("My CAcert.org Account!")); if($_SESSION['_config']['user']['pword1'] == "" || $_SESSION['_config']['user']['pword1'] != $_SESSION['_config']['user']['pword2']) { echo _("New Pass Phrases specified don't match or were blank."); } else { $score = checkpw($_SESSION['_config']['user']['pword1'], $_SESSION['profile']['email'], $_SESSION['profile']['fname'], $_SESSION['profile']['mname'], $_SESSION['profile']['lname'], $_SESSION['profile']['suffix']); $match = mysql_query("select * from `users` where `id`='".$_SESSION['profile']['id']."' and `password`=password('".$_SESSION['_config']['user']['oldpass']."')"); if(strlen($_SESSION['_config']['user']['pword1']) < 6) { echo _("The Pass Phrase you submitted was too short."); } else if($score < 3) { echo _("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored $score points out of 6."); } else if(mysql_num_rows($match) <= 0) { echo _("You failed to correctly enter your current Pass Phrase."); } else { mysql_query("update `users` set `password`=password('".$_SESSION['_config']['user']['pword1']."') where `id`='".$_SESSION['profile']['id']."'"); echo _("Your Pass Phrase has been updated and your primary email account has been notified of the change."); } } showfooter(); exit; } if($oldid == 16) { $id = 16; $_SESSION['_config']['emails'] = array(); foreach($_POST['emails'] as $val) { $val = mysql_escape_string(stripslashes(trim($val))); $bits = explode("@", $val); $count = count($bits); if($count != 2) continue; if(checkownership($bits[1]) == false) continue; if(!is_array($_SESSION['_config']['row'])) continue; else if($_SESSION['_config']['row']['id'] > 0) $_SESSION['_config']['domids'][] = $_SESSION['_config']['row']['id']; if($val != "") $_SESSION['_config']['emails'][] = $val; } $_SESSION['_config']['name'] = mysql_escape_string(stripslashes(trim($name))); } if($oldid == 16 && (intval(count($_SESSION['_config']['emails'])) + 0) <= 0) { $id = 16; showheader(_("My CAcert.org Account!")); echo _("I couldn't match any emails against your organisational account."); showfooter(); exit; } if($oldid == 16 && $process != "") { if(@count($_SESSION['_config']['emails']) > 0) $id = 17; } if($oldid == 17) { $org = $_SESSION['_config']['row']; if($_POST['keytype'] == "NS") { if($_POST['SPKAC'] == "" || strlen($_POST['SPKAC']) < 128) { $id = 17; showheader(_("My CAcert.org Account!")); echo _("I didn't receive a valid Certificate Request, hit the back button and try again."); showfooter(); exit; } $emailcount = 0; $emails = ""; $addys = array(); if(is_array($_SESSION['_config']['emails'])) foreach($_SESSION['_config']['emails'] as $email) { if(!$emails) $defaultemail = $email; $emails .= "$emailcount.emailAddress = $email\n"; $emailcount++; } if($_SESSION['_config']['name'] != "") $emails .= "commonName = ".$_SESSION['_config']['name']."\n"; if($org['OU']) $emails .= "organizationalUnitName = ".$org['OU']."\n"; if($org['O']) $emails .= "organizationName = ".$org['O']."\n"; if($org['L']) $emails .= "localityName = ".$org['L']."\n"; if($org['ST']) $emails .= "stateOrProvinceName = ".$org['ST']."\n"; if($org['C']) $emails .= "countryName = ".$org['C']."\n"; $emails .= "SPKAC = ".str_replace("\n", "", str_replace("\r", "", $_POST['SPKAC'])); $query = "insert into `orgemailcerts` set `CN`='$defaultemail', `keytype`='NS', `orgid`='".$org['orgid']."', `created`=FROM_UNIXTIME(UNIX_TIMESTAMP())"; mysql_query($query); $emailid = mysql_insert_id(); foreach($_SESSION['_config']['domids'] as $addy) mysql_query("insert into `domemaillink` set `emailcertsid`='$emailid', `emailid`='$addy'"); $CSRname = $_SESSION['_config']['filepath']."/csr/orgclient-$emailid.csr"; $fp = fopen($CSRname, "w"); fputs($fp, $emails); fclose($fp); mysql_query("update `orgemailcerts` set `csr_name`='$CSRname' where `id`='$emailid'"); } else if($_POST['keytype'] == "MS") { $csr = "-----BEGIN CERTIFICATE REQUEST-----\n".$CSR."-----END CERTIFICATE REQUEST-----\n"; $tmpfname = tempnam("/tmp", "CSR"); $fp = fopen($tmpfname, "w"); fputs($fp, $csr); fclose($fp); $addys = array(); $defaultemail = ""; if($_SESSION['_config']['name'] != "") $csrsubject = "/CN=".$_SESSION['_config']['name']; if(is_array($_SESSION['_config']['emails'])) foreach($_SESSION['_config']['emails'] as $email) { if($defaultemail == "") $defaultemail = $email; $csrsubject .= "/emailAddress=$email"; } if($org['OU']) $csrsubject .= "/organizationalUnitName=".$org['OU']; if($org['O']) $csrsubject .= "/organizationName=".$org['O']; if($org['L']) $csrsubject .= "/localityName=".$org['L']; if($org['ST']) $csrsubject .= "/stateOrProvinceName=".$org['ST']; if($org['C']) $csrsubject .= "/countryName=".$org['C']; $tmpname = tempnam("/tmp", "CSR"); $do = `/usr/bin/openssl req -in $tmpfname -out $tmpname`; @unlink($tmpfname); $csr = ""; $fp = fopen($tmpname, "r"); while($data = fgets($fp, 4096)) $csr .= $data; fclose($fp); @unlink($tmpname); if($csr == "") { showheader(_("My CAcert.org Account!")); echo _("I didn't receive a valid Certificate Request, hit the back button and try again."); showfooter(); exit; } $query = "insert into `orgemailcerts` set `CN`='$defaultemail', `keytype`='MS', `orgid`='".$org['orgid']."', `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()), `subject`='$csrsubject'"; mysql_query($query); $emailid = mysql_insert_id(); foreach($_SESSION['_config']['domids'] as $addy) mysql_query("insert into `domemaillink` set `emailcertsid`='$emailid', `emailid`='$addy'"); $CSRname = $_SESSION['_config']['filepath']."/csr/orgclient-$emailid.csr"; $fp = fopen($CSRname, "w"); fputs($fp, $csr); fclose($fp); mysql_query("update `orgemailcerts` set `csr_name`='$CSRname' where `id`='$emailid'"); } $do = `../scripts/runclient`; $query = "select * from `orgemailcerts` where `id`='$emailid' and `crt_name` != ''"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { showheader(_("My CAcert.org Account!")); echo _("Your certificate request has failed to be processed correctly, please try submitting it again."); showfooter(); exit; } else { $id = 19; $cert = $emailid; } } if($oldid == 18 && $renew != "") { showheader(_("My CAcert.org Account!")); if(is_array($revokeid)) { $id = 18; echo _("Now renewing the following certificates:")."
\n"; foreach($revokeid as $id) { $id = intval($id); $query = "select *,UNIX_TIMESTAMP(`revoked`) as `revoke` from `orgemailcerts`, `org` where `orgemailcerts`.`id`='$id' and `org`.`memid`='".$_SESSION['profile']['id']."' and `org`.`orgid`=`orgemailcerts`.`orgid`"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
\n", $id); continue; } $row = mysql_fetch_assoc($res); if($row[revoke] > 0) { printf(_("It would seem '%s' has already been revoked. I'll skip this for now.")."
\n", $row['CN']); continue; } $query = "insert into `orgemailcerts` set `orgid`='".$row['orgid']."', `CN`='".$row['CN']."', `keytype`='".$row['keytype']."', `csr_name`='".$row['csr_name']."', `created`='".$row['created']."', `modified`=NOW(), `subject`='".$row['subject']."'"; mysql_query($query); $newid = mysql_insert_id(); $newfile = $_SESSION['_config']['filepath']."/csr/orgclient-$newid.csr"; copy($row['csr_name'], $newfile); mysql_query("update `orgemailcerts` set `csr_name`='$newfile' where `id`='$newid'"); $do = `../scripts/runclient`; $query = "select * from `orgemailcerts` where `id`='$newid' and `crt_name` != ''"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { echo _("Your certificate request has failed to be processed correctly, please try submitting it again."); } else { printf(_("Certificate for '%s' has been renewed."), $row['CN']); echo "". _("Click here")." "._("to install your certificate."); } } } showfooter(); exit; } if($oldid == 18 && $revoke != "") { $id = 18; showheader(_("My CAcert.org Account!")); if(is_array($revokeid)) { echo _("Now revoking the following certificates:")."
\n"; foreach($revokeid as $id) { $id = intval($id); $query = "select *,UNIX_TIMESTAMP(`revoked`) as `revoke` from `orgemailcerts`, `org` where `orgemailcerts`.`id`='$id' and `org`.`memid`='".$_SESSION['profile']['id']."' and `org`.`orgid`=`orgemailcerts`.`orgid`"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
\n", $id); continue; } $row = mysql_fetch_assoc($res); if($row[revoke] > 0) { printf(_("It would seem '%s' has already been revoked. I'll skip this for now.")."
\n", $row['CN']); continue; } mysql_query("update `orgemailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'"); $do = `../scripts/runclient`; printf(_("Certificate for '%s' has been revoked.")."
\n", $row['CN']); } } if(is_array($delid)) { echo _("Now deleting the following pending requests:")."
\n"; foreach($delid as $id) { $id = intval($id); $query = "select *,UNIX_TIMESTAMP(`expire`) as `expired` from `orgemailcerts`, `org` where `orgemailcerts`.`id`='$id' and `org`.`memid`='".$_SESSION['profile']['id']."' and `org`.`orgid`=`orgemailcerts`.`orgid`"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
\n", $id); continue; } $row = mysql_fetch_assoc($res); if($row['expired'] > 0) { printf(_("Couldn't remove the request for `%s`, request had already been processed.")."
\n", $row['CN']); continue; } mysql_query("delete from `orgemailcerts` where `id`='$id'"); @unlink($row['csr_name']); @unlink($row['crt_name']); printf(_("Removed a pending request for '%s'")."
\n", $row['CN']); } } showfooter(); exit; } if($process != "" && $oldid == 20) { $CSR = trim($CSR); $_SESSION['_config']['CSR'] = $CSR; $_SESSION['_config']['subject'] = trim(`echo "$CSR"|/usr/bin/openssl req -text|grep Subject:`); $id = 21; extractit(); getcn2(); getalt2(); $query = "select * from `orginfo`,`org`,`orgdomains` where `org`.`memid`='".$_SESSION['profile']['id']."' and `org`.`orgid`=`orginfo`.`id` and `org`.`orgid`=`orgdomains`.`orgid` and `orgdomains`.`domain`='".$_SESSION['_config']["0.CN"]."'"; $_SESSION['_config'][org] = mysql_fetch_assoc(mysql_query($query)); if($_SESSION['_config']["0.CN"] == "") { $id = 20; showheader(_("My CAcert.org Account!")); echo _("CommonName field was blank. Can't continue."); showfooter(); exit; } } if($process != "" && $oldid == 21) { $CSR = $_SESSION['_config']['CSR']; $_SESSION['_config']['subject'] = trim(`echo "$CSR"|/usr/bin/openssl req -text|grep Subject:`); extractit(); getcn2(); getalt2(); if($_SESSION['_config']["0.CN"] == "") { showheader(_("My CAcert.org Account!")); echo _("CommonName field was blank. Can't continue."); showfooter(); exit; } $query = "select * from `org`,`orginfo` where `orginfo`.`id`='".$_SESSION['_config']['rowid']['0']."' and `orginfo`.`id`=`org`.`orgid` and `org`.`memid`='".$_SESSION['profile']['id']."'"; $org = mysql_fetch_assoc(mysql_query($query)); if($org['OU']) $csrsubject .= "/organizationalUnitName=".$org['OU']; if($org['O']) $csrsubject .= "/organizationName=".$org['O']; if($org['L']) $csrsubject .= "/localityName=".$org['L']; if($org['ST']) $csrsubject .= "/stateOrProvinceName=".$org['ST']; if($org['C']) $csrsubject .= "/countryName=".$org['C']; if($org['contact']) $csrsubject .= "/emailAddress=".$org['contact']; if(is_array($_SESSION['_config']['rows'])) foreach($_SESSION['_config']['rows'] as $row) $csrsubject .= "/commonName=$row"; if(is_array($_SESSION['_config']['altrows'])) foreach($_SESSION['_config']['altrows'] as $subalt) $csrsubject .= "/subjectAltName=$subalt"; $query = "insert into `orgdomaincerts` set `CN`='".$_SESSION['_config']["0.CN"]."', `orgid`='".$_SESSION['_config']['row']['id']."', `created`=NOW(), `subject`='$csrsubject'"; mysql_query($query); $CSRid = mysql_insert_id(); $CSRname = $_SESSION['_config']['filepath']."/csr/orgserver-$CSRid.csr"; $fp = fopen($CSRname, "w"); fputs($fp, $_SESSION['_config']['CSR']); fclose($fp); mysql_query("update `orgdomaincerts` set `CSR_name`='$CSRname' where `id`='$CSRid'"); foreach($_SESSION['_config']['rowid'] as $id) mysql_query("insert into `orgdomlink` set `orgdomid`='$id', `orgcertid`='$CSRid'"); if(is_array($_SESSION['_config']['altid'])) foreach($_SESSION['_config']['altid'] as $id) mysql_query("insert into `orgdomlink` set `orgdomid`='$id', `orgcertid`='$CSRid'"); $do = `../scripts/runserver`; $query = "select * from `orgdomaincerts` where `id`='$CSRid' and `crt_name` != ''"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { showheader(_("My CAcert.org Account!")); echo _("Your certificate request has failed to be processed correctly, please try submitting it again."); showfooter(); exit; } else { $id = 23; $cert = $CSRid; } } if($oldid == 22 && $renew != "") { showheader(_("My CAcert.org Account!")); if(is_array($revokeid)) { echo _("Now renewing the following certificates:")."
\n"; foreach($revokeid as $id) { $id = intval($id); $query = "select *,UNIX_TIMESTAMP(`orgdomaincerts`.`revoked`) as `revoke` from `orgdomaincerts`,`org` where `orgdomaincerts`.`id`='$id' and `orgdomaincerts`.`orgid`=`org`.`orgid` and `org`.`memid`='".$_SESSION['profile']['id']."'"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
\n", $id); continue; } $row = mysql_fetch_assoc($res); if($row[revoke] > 0) { printf(_("It would seem '%s' has already been revoked. I'll skip this for now.")."
\n", $row['CN']); continue; } $query = "insert into `orgdomaincerts` set `orgid`='".$row['orgid']."', `CN`='".$row['CN']."', `csr_name`='".$row['csr_name']."', `created`='".$row['created']."', `modified`=NOW(), `subject`='".$row['subject']."'"; mysql_query($query); $newid = mysql_insert_id(); $newfile = $_SESSION['_config']['filepath']."/csr/orgserver-$newid.csr"; copy($row['csr_name'], $newfile); mysql_query("update `orgdomaincerts` set `csr_name`='$newfile' where `id`='$newid'"); echo _("Renewing").": ".$row['CN']."
\n"; $res = mysql_query("select * from `orgdomlink` where `orgcertid`='".$row['id']."'"); while($r2 = mysql_fetch_assoc($res)) mysql_query("insert into `orgdomlink` set `orgdomid`='".$r2['id']."', `orgcertid`='$newid'"); $do = `../scripts/runserver`; $query = "select * from `orgdomaincerts` where `id`='$newid' and `crt_name` != ''"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { echo _("Your certificate request has failed to be processed correctly, please try submitting it again."); } else { $drow = mysql_fetch_assoc($res); $cert = `/usr/bin/openssl x509 -in $drow[crt_name]`; echo "
\n$cert\n
\n"; } } } showfooter(); exit; } if($oldid == 22 && $revoke != "") { showheader(_("My CAcert.org Account!")); if(is_array($revokeid)) { echo _("Now revoking the following certificates:")."
\n"; foreach($revokeid as $id) { $id = intval($id); $query = "select *,UNIX_TIMESTAMP(`orgdomaincerts`.`revoked`) as `revoke` from `orgdomaincerts`,`org` where `orgdomaincerts`.`id`='$id' and `orgdomaincerts`.`orgid`=`org`.`orgid` and `org`.`memid`='".$_SESSION['profile']['id']."'"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
\n", $id); continue; } $row = mysql_fetch_assoc($res); if($row[revoke] > 0) { printf(_("It would seem '%s' has already been revoked. I'll skip this for now.")."
\n", $row['CN']); continue; } mysql_query("update `orgdomaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='$id'"); $do = `../scripts/runserver`; printf(_("Certificate for '%s' has been revoked.")."
\n", $row['CN']); } } if(is_array($delid)) { echo _("Now deleting the following pending requests:")."
\n"; foreach($delid as $id) { $id = intval($id); $query = "select *,UNIX_TIMESTAMP(`orgdomaincerts`.`expire`) as `expired` from `orgdomaincerts`,`org` where `orgdomaincerts`.`id`='$id' and `orgdomaincerts`.`orgid`=`org`.`orgid` and `org`.`memid`='".$_SESSION['profile']['id']."'"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { printf(_("Invalid ID '%s' presented, can't do anything with it.")."
\n", $id); continue; } $row = mysql_fetch_assoc($res); if($row['expired'] > 0) { printf(_("Couldn't remove the request for `%s`, request had already been processed.")."
\n", $row['CN']); continue; } mysql_query("delete from `orgdomaincerts` where `id`='$id'"); @unlink($row['csr_name']); @unlink($row['crt_name']); printf(_("Removed a pending request for '%s'")."
\n", $row['CN']); } } showfooter(); exit; } if(($id == 24 || $oldid == 24 || $id == 25 || $oldid == 25 || $id == 26 || $oldid == 26 || $id == 27 || $oldid == 27 || $id == 28 || $oldid == 28 || $id == 29 || $oldid == 29 || $id == 30 || $oldid == 30 || $id == 31 || $oldid == 31) && $_SESSION['profile']['admin'] != 1) { showheader(_("My CAcert.org Account!")); echo _("You don't have access to this area."); showfooter(); exit; } if($oldid == 24 && $process != "") { $id = intval($oldid); $_SESSION['_config']['O'] = trim(mysql_escape_string(stripslashes($O))); $_SESSION['_config']['contact'] = trim(mysql_escape_string(stripslashes($contact))); $_SESSION['_config']['L'] = trim(mysql_escape_string(stripslashes($L))); $_SESSION['_config']['ST'] = trim(mysql_escape_string(stripslashes($ST))); $_SESSION['_config']['C'] = trim(mysql_escape_string(stripslashes($C))); $_SESSION['_config']['comments'] = trim(mysql_escape_string(stripslashes($comments))); if($_SESSION['_config']['O'] == "" || $_SESSION['_config']['contact'] == "") { $_SESSION['_config']['errmsg'] = _("Organisation Name and Contact Email are required fields."); } else { mysql_query("insert into `orginfo` set `O`='".$_SESSION['_config']['O']."', `contact`='".$_SESSION['_config']['contact']."', `L`='".$_SESSION['_config']['L']."', `ST`='".$_SESSION['_config']['ST']."', `C`='".$_SESSION['_config']['C']."', `comments`='".$_SESSION['_config']['comments']."'"); showheader(_("My CAcert.org Account!")); printf(_("'%s' has just been successfully added as an organisation to the database."), $_SESSION['_config']['O']); showfooter(); exit; } } if($oldid == 27 && $process != "") { $id = intval($oldid); $_SESSION['_config']['O'] = trim(mysql_escape_string(stripslashes($O))); $_SESSION['_config']['contact'] = trim(mysql_escape_string(stripslashes($contact))); $_SESSION['_config']['L'] = trim(mysql_escape_string(stripslashes($L))); $_SESSION['_config']['ST'] = trim(mysql_escape_string(stripslashes($ST))); $_SESSION['_config']['C'] = trim(mysql_escape_string(stripslashes($C))); $_SESSION['_config']['comments'] = trim(mysql_escape_string(stripslashes($comments))); if($_SESSION['_config']['O'] == "" || $_SESSION['_config']['contact'] == "") { $_SESSION['_config']['errmsg'] = _("Organisation Name and Contact Email are required fields."); } else { mysql_query("update `orginfo` set `O`='".$_SESSION['_config']['O']."', `contact`='".$_SESSION['_config']['contact']."', `L`='".$_SESSION['_config']['L']."', `ST`='".$_SESSION['_config']['ST']."', `C`='".$_SESSION['_config']['C']."', `comments`='".$_SESSION['_config']['comments']."' where `id`='".$_SESSION['_config']['orgid']."'"); showheader(_("My CAcert.org Account!")); printf(_("'%s' has just been successfully updated in the database."), $_SESSION['_config']['O']); showfooter(); exit; } } if($oldid == 28 && $process != "") { $domain = $_SESSION['_config']['domain'] = trim(mysql_escape_string(stripslashes($domainname))); $res1 = mysql_query("select * from `orgdomains` where `domain`='$domain'"); if(mysql_num_rows($res1) > 0) { $_SESSION['_config']['errmsg'] = sprintf(_("The domain '%s' is already in the system and is listed as valid. Can't continue."), $domain); $id = $oldid; unset($oldid); } } if($_SESSION['_config']['orgid'] <= 0 && $oldid == 28) { unset($oldid); $id = 25; } if($oldid == 28 && $process != "") { mysql_query("insert into `orgdomains` set `orgid`='".$_SESSION['_config']['orgid']."', `domain`='$domain'"); showheader(_("My CAcert.org Account!")); printf(_("'%s' has just been successfully added to the database."), $domain); echo "

"._("Click here")." "._("to continue."); showfooter(); exit; } if($oldid == 29 && $process != "") { $domain = mysql_escape_string(stripslashes(trim($domainname))); $res1 = mysql_query("select * from `orgdomains` where `domain` like '$domain' and `id`!='".$_SESSION['_config']['domid']."'"); $res2 = mysql_query("select * from `domains` where `domain` like '$domain' and `deleted`=0"); if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0) { $_SESSION['_config']['errmsg'] = sprintf(_("The domain '%s' is already in the system and is listed as valid. Can't continue."), $domain); $id = $oldid; unset($oldid); } } if(($oldid == 29 || $oldid == 30) && $process != _("Cancel")) { $query = "select `orgdomaincerts`.`id` as `id` from `orgdomlink`, `orgdomaincerts`, `orgdomains` where `orgdomlink`.`orgdomid`=`orgdomains`.`id` and `orgdomaincerts`.`id`=`orgdomlink`.`orgcertid` and `orgdomains`.`id`='".$_SESSION['_config']['domid']."'"; $res = mysql_query($query); while($row = mysql_fetch_assoc($res)) mysql_query("update `orgdomaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$row['id']."'"); $query = "select `orgemailcerts`.`id` as `id` from `orgemailcerts`, `orgemaillink`, `orgdomains` where `orgemaillink`.`domid`=`orgdomains`.`id` and `orgemailcerts`.`id`=`orgemaillink`.`emailcertsid` and `orgdomains`.`id`='".$_SESSION['_config']['domid']."'"; $res = mysql_query($query); while($row = mysql_fetch_assoc($res)) mysql_query("update `orgemailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$row['id']."'"); $do = `../scripts/runserver`; $do = `../scripts/runclient`; } if($oldid == 29 && $process != "") { $row = mysql_fetch_assoc(mysql_query("select * from `orgdomains` where `id`='".$_SESSION['_config']['domid']."'")); mysql_query("update `orgdomains` set `domain`='$domain' where `id`='".$_SESSION['_config']['domid']."'"); showheader(_("My CAcert.org Account!")); printf(_("'%s' has just been successfully updated in the database."), $domain); echo "

"._("Click here")." "._("to continue."); showfooter(); exit; } if($oldid == 30 && $process != "") { $row = mysql_fetch_assoc(mysql_query("select * from `orgdomains` where `id`='".$_SESSION['_config']['domid']."'")); $domain = $row['domain']; mysql_query("delete from `orgdomains` where `id`='".$_SESSION['_config']['domid']."'"); showheader(_("My CAcert.org Account!")); printf(_("'%s' has just been successfully deleted from the database."), $domain); echo "

"._("Click here")." "._("to continue."); showfooter(); exit; } if($oldid == 30) { $id = 26; $orgid = 0; } if($oldid == 31 && $process != _("Cancel")) { $query = "select * from `orgdomains` where `orgid`='".$_SESSION['_config']['orgid']."'"; $dres = mysql_query($query); while($drow = mysql_fetch_assoc($dres)) { $query = "select `orgdomaincerts`.`id` as `id` from `orgdomlink`, `orgdomaincerts`, `orgdomains` where `orgdomlink`.`orgdomid`=`orgdomains`.`id` and `orgdomaincerts`.`id`=`orgdomlink`.`orgcertid` and `orgdomains`.`id`='".$drow['id']."'"; $res = mysql_query($query); while($row = mysql_fetch_assoc($res)) { mysql_query("update `orgdomaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$row['id']."'"); $do = `../scripts/runserver`; mysql_query("delete from `orgdomaincerts` where `orgid`='".$row['id']."'"); mysql_query("delete from `orgdomlink` where `domid`='".$row['id']."'"); } $query = "select `orgemailcerts`.`id` as `id` from `orgemailcerts`, `orgemaillink`, `orgdomains` where `orgemaillink`.`domid`=`orgdomains`.`id` and `orgemailcerts`.`id`=`orgemaillink`.`emailcertsid` and `orgdomains`.`id`='".$drow['id']."'"; $res = mysql_query($query); while($row = mysql_fetch_assoc($res)) { mysql_query("update `orgemailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$row['id']."'"); $do = `../scripts/runclient`; mysql_query("delete from `orgemailcerts` where `id`='".$row['id']."'"); mysql_query("delete from `orgemaillink` where `domid`='".$row['id']."'"); } } mysql_query("delete from `org` where `orgid`='".$_SESSION['_config']['orgid']."'"); mysql_query("delete from `orgdomains` where `orgid`='".$_SESSION['_config']['orgid']."'"); mysql_query("delete from `orginfo` where `id`='".$_SESSION['_config']['orgid']."'"); } if($oldid == 31) { $id = 25; $orgid = 0; } if($id == 32 || $oldid == 32 || $id == 33 || $oldid == 33 || $id == 34 || $oldid == 34 || $id == 35 || $oldid == 35) { $query = "select * from `org` where `memid`='".$_SESSION['profile']['id']."' and `masteracc`='1'"; $_macc = mysql_num_rows(mysql_query($query)); if($_SESSION['profile']['admin'] != 1 && $_macc <= 0) { showheader(_("My CAcert.org Account!")); echo _("You don't have access to this area."); showfooter(); exit; } } if($id == 33 && $_SESSION['profile']['admin'] != 1) { $orgid = $_SESSION['_config']['orgid']; $query = "select * from `org` where `orgid`='$orgid' and `memid`='".$_SESSION['profile']['id']."'"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { $id = 35; } } if($id == 34 && $_SESSION['profile']['admin'] != 1) { $orgid = intval($orgid); $memid = intval($memid); $res = mysql_query("select * from `org` where `orgid`='$orgid' and `memid`='".$_SESSION['profile']['id']."'"); $_macc2 = mysql_num_rows(mysql_query("select * from `org` where `memid`='$memid' and `masteracc`='1'")); if(mysql_num_rows($res) <= 0 || $_macc2 > 0) { $id = 32; } } if($oldid == 33 && $process != "") { if($_SESSION['profile']['admin'] == 1) $masteracc = $_SESSION['_config'][masteracc] = intval($masteracc); else $masteracc = $_SESSION['_config'][masteracc] = 0; $email = $_SESSION['_config']['email'] = mysql_escape_string(stripslashes(trim($email))); $OU = $_SESSION['_config']['OU'] = mysql_escape_string(stripslashes(trim($OU))); $comments = $_SESSION['_config']['comments'] = mysql_escape_string(stripslashes(trim($comments))); $res = mysql_query("select * from `users` where `email`='$email'"); if(mysql_num_rows($res) <= 0) { $id = $oldid; unset($oldid); $_SESSION['_config']['errmsg'] = sprintf(_("Wasn't able to match '%s' against any user in the system"), $email); } else { $row = mysql_fetch_assoc($res); mysql_query("insert into `org` set `memid`='".$row['id']."', `orgid`='".$_SESSION['_config']['orgid']."', `masteracc`='$masteracc', `OU`='$OU', `comments`='$comments'"); } } if($oldid == 34 && $process != "") { mysql_query("delete from `org` where `memid`='".$_SESSION['_config']['memid']."'"); } if($oldid == 34 || $oldid == 33) { unset($oldid); $id = 32; $orgid = 0; } if($oldid == 36) { $rc = mysql_num_rows(mysql_query("select * from `alerts` where `memid`='".$_SESSION['profile']['id']."'")); if($rc > 0) { $query = "update `alerts` set `general`='".intval($_POST['general'])."', `country`='".intval($_POST['country'])."', `regional`='".intval($_POST['regional'])."', `radius`='".intval($_POST['radius'])."' where `memid`='".$_SESSION['profile']['id']."'"; } else { $query = "insert into `alerts` set `general`='".intval($_POST['general'])."', `country`='".intval($_POST['country'])."', `regional`='".intval($_POST['regional'])."', `radius`='".intval($_POST['radius'])."', `memid`='".$_SESSION['profile']['id']."'"; } mysql_query($query); $id = $oldid; unset($oldid); } if($id == 36) { $row = mysql_fetch_assoc(mysql_query("select * from `alerts` where `memid`='".$_SESSION['profile']['id']."'")); $_POST['general'] = $row['general']; $_POST['country'] = $row['country']; $_POST['regional'] = $row['regional']; $_POST['radius'] = $row['radius']; } if($oldid == 41) { $lang = mysql_escape_string($_POST['lang']); foreach($_SESSION['_config']['translations'] as $key => $val) { if($key == $lang) { mysql_query("update `users` set `language`='$lang' where `id`='".$_SESSION['profile']['id']."'"); showheader(_("My CAcert.org Account!")); echo _("Your language setting has been updated."); showfooter(); exit; } } showheader(_("My CAcert.org Account!")); echo _("You tried to use an invalid language."); showfooter(); exit; } if(($id == 42 || $id == 43 || $id == 44 || $id == 48 || $id == 49 || $id == 50 || $oldid == 42 || $oldid == 43 || $oldid == 44 || $oldid == 48 || $oldid == 49 || $oldid == 50) && $_SESSION['profile']['admin'] != 1) { showheader(_("My CAcert.org Account!")); echo _("You don't have access to this area."); showfooter(); exit; } if($oldid == 42 && $_POST['email'] == "") { $id = $oldid; unset($oldid); } if($oldid == 42) { $id = 43; unset($oldid); } if($oldid == 48 && $_POST['domain'] == "") { $id = $oldid; unset($oldid); } if($oldid == 48) { $id = 49; unset($oldid); } if($id == 44) { if($_GET['userid'] != "") $_POST['userid'] = intval($_GET['userid']); $row = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".$_POST['userid']."'")); if($row['email'] == "") $id = 42; else $_POST['email'] = $row['email']; } if($oldid == 44) { showheader(_("My CAcert.org Account!")); if(intval($_POST['userid']) <= 0) { echo _("No such user found."); } else { mysql_query("update `users` set `password`=password('".mysql_escape_string(stripslashes($_POST['newpass']))."') where `id`='".intval($_POST['userid'])."'"); $row = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".$_POST['userid']."'")); printf(_("The password for %s has been updated sucessfully in the system."), $row['email']); } showfooter(); exit; } if($process != "" && $oldid == 45) { $CSR = trim($CSR); $_SESSION['_config']['CSR'] = $CSR; $_SESSION['_config']['subject'] = trim(`echo "$CSR"|/usr/bin/openssl req -text|grep Subject:`); $id = 46; extractit(); getcn(); getalt(); if($_SESSION['_config']["0.CN"] == "") { showheader(_("My CAcert.org Account!")); echo _("CommonName field was blank. Can't continue."); showfooter(); exit; } } if($process != "" && $oldid == 46) { $CSR = $_SESSION['_config']['CSR']; $_SESSION['_config']['subject'] = trim(`echo "$CSR"|/usr/bin/openssl req -text|grep Subject:`); $id = 11; extractit(); getcn(); getalt(); if($_SESSION['_config']["0.CN"] == "") { showheader(_("My CAcert.org Account!")); echo _("CommonName field was blank. Can't continue."); showfooter(); exit; } $query = "insert into `domaincerts` set `CN`='".$_SESSION['_config']["0.CN"]."', `domid`='".$_SESSION['_config']['row']['id']."', `created`=NOW()"; mysql_query($query); $CSRid = mysql_insert_id(); foreach($_SESSION['_config']['rowid'] as $dom) mysql_query("insert into `domlink` set `certid`='$CSRid', `domid`='$dom'"); if(is_array($_SESSION['_config']['altid'])) foreach($_SESSION['_config']['altid'] as $dom) mysql_query("insert into `domlink` set `certid`='$CSRid', `domid`='$dom'"); $CSRname = $_SESSION['_config']['filepath']."/csr/server-$CSRid.csr"; $fp = fopen($CSRname, "w"); fputs($fp, $_SESSION['_config']['CSR']); fclose($fp); mysql_query("update `domaincerts` set `CSR_name`='$CSRname' where `id`='$CSRid'"); $do = `../scripts/runserver`; $query = "select * from `domaincerts` where `id`='$CSRid' and `crt_name` != ''"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) { showheader(_("My CAcert.org Account!")); echo _("Your certificate request has failed to be processed correctly, please try submitting it again."); showfooter(); exit; } else { $id = 47; $cert = $CSRid; } } if($id == 50) { if($_GET['userid'] != "") $_POST['userid'] = intval($_GET['userid']); else $_POST['userid'] = intval($_POST['userid']); $row = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".$_POST['userid']."'")); if($row['email'] == "") $id = 42; else $_POST['email'] = $row['email']; } if($oldid == 50) { $id = 43; $_GET['userid'] = intval($_POST['userid']); } if($oldid == 50 && $_POST['process'] != "") { $_POST['userid'] = intval($_POST['userid']); $res = mysql_query("select * from `users` where `id`='".$_POST['userid']."'"); if(mysql_num_rows($res) > 0) { $query = "update `domaincerts`,`domains` SET `domaincerts`.`revoked`=NOW() WHERE `domaincerts`.`domid` = `domains`.`id` AND `domains`.`memid`='".$_POST['userid']."'"; mysql_query($query); $query = "update `domains` SET `deleted`=NOW() WHERE `domains`.`memid`='".$_POST['userid']."'"; mysql_query($query); $query = "update `emailcerts` SET `revoked`=NOW() WHERE `memid`='".$_POST['userid']."'"; mysql_query($query); $query = "update `email` SET `deleted`=NOW() WHERE `memid`='".$_POST['userid']."'"; mysql_query($query); $query = "delete from `org` WHERE `memid`='".$_POST['userid']."'"; mysql_query($query); $query = "update `users` SET `deleted`=NOW() WHERE `id`='".$_POST['userid']."'"; mysql_query($query); } } if(intval($cert) > 0) $_SESSION['_config']['cert'] = intval($cert); if(intval($orgid) > 0) $_SESSION['_config']['orgid'] = intval($orgid); if(intval($memid) > 0) $_SESSION['_config']['memid'] = intval($memid); if(intval($domid) > 0) $_SESSION['_config']['domid'] = intval($domid); $_SESSION['_config']['agent'] = $HTTP_USER_AGENT; ?>