function dbreset()
{
$user = $_SESSION['reset_user'];
$hash = $_SESSION['reset_hash'];
$email = $_SESSION['reset_email'];
$pass = getparam('pass', true);
$pass2 = getparam('pass2', true);
$twofa = getparam('2fa', true);
if (nuem($pass) || nuem($pass2)) {
return allow_reset('Enter both passwords');
}
if ($pass2 != $pass) {
return allow_reset("Passwords don't match");
}
if (safepass($pass) !== true) {
return allow_reset('Password is unsafe');
}
$ans = getAtts($user, 'KReset.str,KReset.dateexp');
if ($ans['STATUS'] != 'ok') {
return resetfail();
}
if (!isset($ans['KReset.dateexp']) || $ans['KReset.dateexp'] == 'Y') {
return resetfail();
}
if (!isset($ans['KReset.str']) || $ans['KReset.str'] != $hash) {
return resetfail();
}
$emailinfo = getOpts($user, emailOptList());
if ($emailinfo['STATUS'] != 'ok') {
syserror();
}
$ans = resetPass($user, $pass, $twofa);
if ($ans['STATUS'] != 'ok') {
return resetfail();
}
unset($_SESSION['reset_user']);
unset($_SESSION['reset_hash']);
unset($_SESSION['reset_email']);
$ans = expAtts($user, 'KReset');
$ok = passWasReset($email, zeip(), $emailinfo);
return yok();
}
function dosettings($data, $user)
{
$err = '';
$chg = getparam('Change', false);
$check = false;
switch ($chg) {
case 'EMail':
$email = getparam('email', false);
if (stripos($email, 'hotmail') !== false) {
$err = 'hotmail not allowed';
} else {
$pass = getparam('pass', false);
$twofa = getparam('2fa', false);
$ans = userSettings($user, $email, null, $pass, $twofa);
$err = 'EMail changed';
$check = true;
}
break;
case 'Address':
if (!isset($data['info']['u_multiaddr'])) {
$addr = getparam('baddr', false);
$addrarr = array(array('addr' => $addr));
$pass = getparam('pass', false);
$twofa = getparam('2fa', false);
$ans = userSettings($user, null, $addrarr, $pass, $twofa);
$err = 'Payout address changed';
$check = true;
}
break;
case 'Password':
$oldpass = getparam('oldpass', false);
$pass1 = getparam('pass1', false);
$pass2 = getparam('pass2', false);
$twofa = getparam('2fa', false);
if (!safepass($pass1)) {
$err = 'Unsafe password. ' . passrequires();
} elseif ($pass1 != $pass2) {
$err = "Passwords don't match";
} else {
$ans = setPass($user, $oldpass, $pass1, $twofa);
$err = 'Password changed';
$check = true;
}
break;
}
$doemail = false;
if ($check === true) {
if ($ans['STATUS'] != 'ok') {
$err = $ans['STATUS'];
if ($ans['ERROR'] != '') {
$err .= ': ' . $ans['ERROR'];
}
} else {
$doemail = true;
}
}
$ans = userSettings($user);
if ($ans['STATUS'] != 'ok') {
dbdown();
}
// Should be no other reason?
if (isset($ans['email'])) {
$email = $ans['email'];
} else {
$email = '';
}
// Use the first one - updating will expire all others
if (isset($ans['rows']) and $ans['rows'] > 0) {
$addr = $ans['addr:0'];
} else {
$addr = '';
}
if ($doemail) {
if ($email == '') {
if ($err != '') {
$err .= '<br>';
}
$err .= 'An error occurred, check your details below';
goto iroiroattanoyo;
}
$emailinfo = getOpts($user, emailOptList());
if ($emailinfo['STATUS'] != 'ok') {
if ($err != '') {
$err .= '<br>';
}
$err .= 'An error occurred, check your details below';
goto iroiroattanoyo;
}
switch ($chg) {
case 'EMail':
if (isset($_SESSION['old_set_email'])) {
$old = $_SESSION['old_set_email'];
} else {
$old = null;
}
emailAddressChanged($email, zeip(), $emailinfo, $old);
break;
case 'Address':
payoutAddressChanged($email, zeip(), $emailinfo);
break;
case 'Password':
passChanged($email, zeip(), $emailinfo);
break;
}
}
iroiroattanoyo:
$pg = settings($data, $user, $email, $addr, $err);
return $pg;
}
function do2fa($data, $user)
{
$mailmode = '';
$err = '';
$msg = '';
$setup = getparam('Setup', false);
if ($setup === 'Setup') {
// rand() included as part of the entropy
$ans = get2fa($user, 'setup', rand(1073741824, 2147483647), 0);
$mailmode = 'Setup';
} else {
$can = getparam('Cancel', false);
if ($can === 'Cancel') {
$ans = get2fa($user, 'untest', 0, 0);
$mailmode = 'Cancel';
} else {
$value = getparam('Value', false);
$test = getparam('Test', false);
if ($test === 'Test' and $value !== null) {
$ans = get2fa($user, 'test', 0, $value);
$mailmode = 'Test';
} else {
$nw = getparam('New', false);
if ($nw === 'New' and $value !== null) {
$ans = get2fa($user, 'new', rand(1073741824, 2147483647), $value);
$mailmode = 'New';
} else {
$rem = getparam('Remove', false);
if ($rem === 'Remove' and $value !== null) {
$ans = get2fa($user, 'remove', 0, $value);
$mailmode = 'Remove';
} else {
$ans = get2fa($user, '', 0, 0);
}
}
}
}
}
if ($ans['STATUS'] != 'ok') {
$err = 'DBERR';
} else {
if (isset($ans['2fa_error'])) {
$err = $ans['2fa_error'];
}
if ($mailmode != '' and $err == '') {
$ans2 = userSettings($user);
if ($ans2['STATUS'] != 'ok') {
dbdown();
}
// Should be no other reason?
if (!isset($ans2['email'])) {
$err = 'An error occurred, check your details below';
} else {
$email = $ans2['email'];
$emailinfo = getOpts($user, emailOptList());
if ($emailinfo['STATUS'] != 'ok') {
$err = 'An error occurred, check your details below';
} else {
if ($mailmode === 'Setup') {
twofaSetup($email, zeip(), $emailinfo);
} else {
if ($mailmode === 'Test') {
twofaEnabled($email, zeip(), $emailinfo);
} else {
if ($mailmode === 'New') {
twofaSetup($email, zeip(), $emailinfo);
} else {
if ($mailmode === 'Cancel') {
twofaCancel($email, zeip(), $emailinfo);
} else {
if ($mailmode === 'Remove') {
twofaRemove($email, zeip(), $emailinfo);
}
}
}
}
}
}
}
}
}
if (!isset($ans['2fa_status'])) {
$tfa = null;
} else {
$tfa = $ans['2fa_status'];
}
if (isset($ans['2fa_msg'])) {
$msg = $ans['2fa_msg'];
}
$pg = set_2fa($data, $user, $tfa, $ans, $err, $msg);
return $pg;
}
function doreset2($data)
{
$user = $data['data']['user'];
$email = $data['data']['email'];
$emailinfo = getOpts($user, emailOptList());
if ($emailinfo['STATUS'] != 'ok') {
syserror();
}
$ans = getAtts($user, 'KLastReset.dateexp');
if ($ans['STATUS'] != 'ok') {
syserror();
}
// If the last attempt hasn't expired don't do anything but show a fake msg
if (!isset($ans['KLastReset.dateexp']) || $ans['KLastReset.dateexp'] == 'Y') {
// This line $code = isn't an attempt at security -
// it's simply to ensure the username is readable when we get it back
$code = bin2hex($data['data']['user']) . '_';
// A code that's large enough to not be worth guessing
$ran = $ans['STAMP'] . $user . $email . rand(100000000, 999999999);
$hash = hash('md4', $ran);
$ans = setAtts($user, array('ua_KReset.str' => $hash, 'ua_KReset.date' => 'now+3600', 'ua_LastReset.date' => 'now+3600'));
if ($ans['STATUS'] != 'ok') {
syserror();
}
$ok = passReset($email, $code . $hash, zeip(), $emailinfo);
if ($ok === false) {
syserror();
}
}
$pg = '<h1>Reset Sent</h1>';
$pg .= '<br>An Email has been sent that will allow you to';
$pg .= '<br>reset your password.';
$pg .= '<br>If you got your username or email address wrong,';
$pg .= '<br>you wont get the email.';
return $pg;
}
function doaddrmgt($data, $user)
{
$err = '';
$OK = getparam('OK', false);
$count = getparam('rows', false);
$pass = getparam('pass', false);
$twofa = getparam('2fa', false);
$mfail = false;
if ($OK == 'Save' && !nuem($count) && !nuem($pass)) {
if ($count > 0 && $count < 1000) {
$mfail = true;
$addrarr = array();
for ($i = 0; $i < $count; $i++) {
$addr = getparam('addr:' . $i, false);
$nam = getparam('payname:' . $i, false);
if (nuem($nam)) {
$nam = '';
}
$ratio = getparam('ratio:' . $i, false);
if (!nuem($addr) && !nuem($ratio)) {
$addrarr[] = array('addr' => $addr, 'payname' => $nam, 'ratio' => $ratio);
}
}
$ans = userSettings($user, null, $addrarr, $pass, $twofa);
if ($ans['STATUS'] != 'ok') {
$err = $ans['ERROR'];
} else {
$ans = userSettings($user);
if ($ans['STATUS'] != 'ok') {
goto meh;
}
if (isset($ans['email'])) {
$email = $ans['email'];
} else {
goto meh;
}
$emailinfo = getOpts($user, emailOptList());
if ($emailinfo['STATUS'] != 'ok') {
goto meh;
} else {
payoutAddressChanged($email, zeip(), $emailinfo);
}
}
$mfail = false;
}
}
meh:
if ($mfail == true) {
if ($err != '') {
$err .= '<br>';
}
$err .= 'An error occurred, check your details below';
}
$pg = addrmgtuser($data, $user, $err);
return $pg;
}