Beispiel #1
0
function dbreset()
{
    $user = $_SESSION['reset_user'];
    $hash = $_SESSION['reset_hash'];
    $email = $_SESSION['reset_email'];
    $pass = getparam('pass', true);
    $pass2 = getparam('pass2', true);
    $twofa = getparam('2fa', true);
    if (nuem($pass) || nuem($pass2)) {
        return allow_reset('Enter both passwords');
    }
    if ($pass2 != $pass) {
        return allow_reset("Passwords don't match");
    }
    if (safepass($pass) !== true) {
        return allow_reset('Password is unsafe');
    }
    $ans = getAtts($user, 'KReset.str,KReset.dateexp');
    if ($ans['STATUS'] != 'ok') {
        return resetfail();
    }
    if (!isset($ans['KReset.dateexp']) || $ans['KReset.dateexp'] == 'Y') {
        return resetfail();
    }
    if (!isset($ans['KReset.str']) || $ans['KReset.str'] != $hash) {
        return resetfail();
    }
    $emailinfo = getOpts($user, emailOptList());
    if ($emailinfo['STATUS'] != 'ok') {
        syserror();
    }
    $ans = resetPass($user, $pass, $twofa);
    if ($ans['STATUS'] != 'ok') {
        return resetfail();
    }
    unset($_SESSION['reset_user']);
    unset($_SESSION['reset_hash']);
    unset($_SESSION['reset_email']);
    $ans = expAtts($user, 'KReset');
    $ok = passWasReset($email, zeip(), $emailinfo);
    return yok();
}
Beispiel #2
0
function msgEncode($cmd, $id, $fields, $user)
{
    global $send_sep, $fld_sep, $val_sep;
    $now = time();
    $t = $now % 10000;
    $msg = $cmd . $send_sep . $id . $t . $send_sep;
    foreach ($fields as $name => $value) {
        $msg .= $name . $val_sep . $value . $fld_sep;
    }
    $msg .= 'createcode' . $val_sep . 'php' . $fld_sep;
    $msg .= 'createby' . $val_sep . $user . $fld_sep;
    $msg .= 'createinet' . $val_sep . zeip() . $fld_sep;
    $msg .= 'webtime' . $val_sep . $now;
    adm($user, $msg);
    return $msg;
}
Beispiel #3
0
function dosettings($data, $user)
{
    $err = '';
    $chg = getparam('Change', false);
    $check = false;
    switch ($chg) {
        case 'EMail':
            $email = getparam('email', false);
            if (stripos($email, 'hotmail') !== false) {
                $err = 'hotmail not allowed';
            } else {
                $pass = getparam('pass', false);
                $twofa = getparam('2fa', false);
                $ans = userSettings($user, $email, null, $pass, $twofa);
                $err = 'EMail changed';
                $check = true;
            }
            break;
        case 'Address':
            if (!isset($data['info']['u_multiaddr'])) {
                $addr = getparam('baddr', false);
                $addrarr = array(array('addr' => $addr));
                $pass = getparam('pass', false);
                $twofa = getparam('2fa', false);
                $ans = userSettings($user, null, $addrarr, $pass, $twofa);
                $err = 'Payout address changed';
                $check = true;
            }
            break;
        case 'Password':
            $oldpass = getparam('oldpass', false);
            $pass1 = getparam('pass1', false);
            $pass2 = getparam('pass2', false);
            $twofa = getparam('2fa', false);
            if (!safepass($pass1)) {
                $err = 'Unsafe password. ' . passrequires();
            } elseif ($pass1 != $pass2) {
                $err = "Passwords don't match";
            } else {
                $ans = setPass($user, $oldpass, $pass1, $twofa);
                $err = 'Password changed';
                $check = true;
            }
            break;
    }
    $doemail = false;
    if ($check === true) {
        if ($ans['STATUS'] != 'ok') {
            $err = $ans['STATUS'];
            if ($ans['ERROR'] != '') {
                $err .= ': ' . $ans['ERROR'];
            }
        } else {
            $doemail = true;
        }
    }
    $ans = userSettings($user);
    if ($ans['STATUS'] != 'ok') {
        dbdown();
    }
    // Should be no other reason?
    if (isset($ans['email'])) {
        $email = $ans['email'];
    } else {
        $email = '';
    }
    // Use the first one - updating will expire all others
    if (isset($ans['rows']) and $ans['rows'] > 0) {
        $addr = $ans['addr:0'];
    } else {
        $addr = '';
    }
    if ($doemail) {
        if ($email == '') {
            if ($err != '') {
                $err .= '<br>';
            }
            $err .= 'An error occurred, check your details below';
            goto iroiroattanoyo;
        }
        $emailinfo = getOpts($user, emailOptList());
        if ($emailinfo['STATUS'] != 'ok') {
            if ($err != '') {
                $err .= '<br>';
            }
            $err .= 'An error occurred, check your details below';
            goto iroiroattanoyo;
        }
        switch ($chg) {
            case 'EMail':
                if (isset($_SESSION['old_set_email'])) {
                    $old = $_SESSION['old_set_email'];
                } else {
                    $old = null;
                }
                emailAddressChanged($email, zeip(), $emailinfo, $old);
                break;
            case 'Address':
                payoutAddressChanged($email, zeip(), $emailinfo);
                break;
            case 'Password':
                passChanged($email, zeip(), $emailinfo);
                break;
        }
    }
    iroiroattanoyo:
    $pg = settings($data, $user, $email, $addr, $err);
    return $pg;
}
Beispiel #4
0
function do2fa($data, $user)
{
    $mailmode = '';
    $err = '';
    $msg = '';
    $setup = getparam('Setup', false);
    if ($setup === 'Setup') {
        // rand() included as part of the entropy
        $ans = get2fa($user, 'setup', rand(1073741824, 2147483647), 0);
        $mailmode = 'Setup';
    } else {
        $can = getparam('Cancel', false);
        if ($can === 'Cancel') {
            $ans = get2fa($user, 'untest', 0, 0);
            $mailmode = 'Cancel';
        } else {
            $value = getparam('Value', false);
            $test = getparam('Test', false);
            if ($test === 'Test' and $value !== null) {
                $ans = get2fa($user, 'test', 0, $value);
                $mailmode = 'Test';
            } else {
                $nw = getparam('New', false);
                if ($nw === 'New' and $value !== null) {
                    $ans = get2fa($user, 'new', rand(1073741824, 2147483647), $value);
                    $mailmode = 'New';
                } else {
                    $rem = getparam('Remove', false);
                    if ($rem === 'Remove' and $value !== null) {
                        $ans = get2fa($user, 'remove', 0, $value);
                        $mailmode = 'Remove';
                    } else {
                        $ans = get2fa($user, '', 0, 0);
                    }
                }
            }
        }
    }
    if ($ans['STATUS'] != 'ok') {
        $err = 'DBERR';
    } else {
        if (isset($ans['2fa_error'])) {
            $err = $ans['2fa_error'];
        }
        if ($mailmode != '' and $err == '') {
            $ans2 = userSettings($user);
            if ($ans2['STATUS'] != 'ok') {
                dbdown();
            }
            // Should be no other reason?
            if (!isset($ans2['email'])) {
                $err = 'An error occurred, check your details below';
            } else {
                $email = $ans2['email'];
                $emailinfo = getOpts($user, emailOptList());
                if ($emailinfo['STATUS'] != 'ok') {
                    $err = 'An error occurred, check your details below';
                } else {
                    if ($mailmode === 'Setup') {
                        twofaSetup($email, zeip(), $emailinfo);
                    } else {
                        if ($mailmode === 'Test') {
                            twofaEnabled($email, zeip(), $emailinfo);
                        } else {
                            if ($mailmode === 'New') {
                                twofaSetup($email, zeip(), $emailinfo);
                            } else {
                                if ($mailmode === 'Cancel') {
                                    twofaCancel($email, zeip(), $emailinfo);
                                } else {
                                    if ($mailmode === 'Remove') {
                                        twofaRemove($email, zeip(), $emailinfo);
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
    if (!isset($ans['2fa_status'])) {
        $tfa = null;
    } else {
        $tfa = $ans['2fa_status'];
    }
    if (isset($ans['2fa_msg'])) {
        $msg = $ans['2fa_msg'];
    }
    $pg = set_2fa($data, $user, $tfa, $ans, $err, $msg);
    return $pg;
}
Beispiel #5
0
function doreset2($data)
{
    $user = $data['data']['user'];
    $email = $data['data']['email'];
    $emailinfo = getOpts($user, emailOptList());
    if ($emailinfo['STATUS'] != 'ok') {
        syserror();
    }
    $ans = getAtts($user, 'KLastReset.dateexp');
    if ($ans['STATUS'] != 'ok') {
        syserror();
    }
    // If the last attempt hasn't expired don't do anything but show a fake msg
    if (!isset($ans['KLastReset.dateexp']) || $ans['KLastReset.dateexp'] == 'Y') {
        // This line $code = isn't an attempt at security -
        // it's simply to ensure the username is readable when we get it back
        $code = bin2hex($data['data']['user']) . '_';
        // A code that's large enough to not be worth guessing
        $ran = $ans['STAMP'] . $user . $email . rand(100000000, 999999999);
        $hash = hash('md4', $ran);
        $ans = setAtts($user, array('ua_KReset.str' => $hash, 'ua_KReset.date' => 'now+3600', 'ua_LastReset.date' => 'now+3600'));
        if ($ans['STATUS'] != 'ok') {
            syserror();
        }
        $ok = passReset($email, $code . $hash, zeip(), $emailinfo);
        if ($ok === false) {
            syserror();
        }
    }
    $pg = '<h1>Reset Sent</h1>';
    $pg .= '<br>An Email has been sent that will allow you to';
    $pg .= '<br>reset your password.';
    $pg .= '<br>If you got your username or email address wrong,';
    $pg .= '<br>you wont get the email.';
    return $pg;
}
Beispiel #6
0
function doaddrmgt($data, $user)
{
    $err = '';
    $OK = getparam('OK', false);
    $count = getparam('rows', false);
    $pass = getparam('pass', false);
    $twofa = getparam('2fa', false);
    $mfail = false;
    if ($OK == 'Save' && !nuem($count) && !nuem($pass)) {
        if ($count > 0 && $count < 1000) {
            $mfail = true;
            $addrarr = array();
            for ($i = 0; $i < $count; $i++) {
                $addr = getparam('addr:' . $i, false);
                $nam = getparam('payname:' . $i, false);
                if (nuem($nam)) {
                    $nam = '';
                }
                $ratio = getparam('ratio:' . $i, false);
                if (!nuem($addr) && !nuem($ratio)) {
                    $addrarr[] = array('addr' => $addr, 'payname' => $nam, 'ratio' => $ratio);
                }
            }
            $ans = userSettings($user, null, $addrarr, $pass, $twofa);
            if ($ans['STATUS'] != 'ok') {
                $err = $ans['ERROR'];
            } else {
                $ans = userSettings($user);
                if ($ans['STATUS'] != 'ok') {
                    goto meh;
                }
                if (isset($ans['email'])) {
                    $email = $ans['email'];
                } else {
                    goto meh;
                }
                $emailinfo = getOpts($user, emailOptList());
                if ($emailinfo['STATUS'] != 'ok') {
                    goto meh;
                } else {
                    payoutAddressChanged($email, zeip(), $emailinfo);
                }
            }
            $mfail = false;
        }
    }
    meh:
    if ($mfail == true) {
        if ($err != '') {
            $err .= '<br>';
        }
        $err .= 'An error occurred, check your details below';
    }
    $pg = addrmgtuser($data, $user, $err);
    return $pg;
}