function dbreset() { $user = $_SESSION['reset_user']; $hash = $_SESSION['reset_hash']; $email = $_SESSION['reset_email']; $pass = getparam('pass', true); $pass2 = getparam('pass2', true); $twofa = getparam('2fa', true); if (nuem($pass) || nuem($pass2)) { return allow_reset('Enter both passwords'); } if ($pass2 != $pass) { return allow_reset("Passwords don't match"); } if (safepass($pass) !== true) { return allow_reset('Password is unsafe'); } $ans = getAtts($user, 'KReset.str,KReset.dateexp'); if ($ans['STATUS'] != 'ok') { return resetfail(); } if (!isset($ans['KReset.dateexp']) || $ans['KReset.dateexp'] == 'Y') { return resetfail(); } if (!isset($ans['KReset.str']) || $ans['KReset.str'] != $hash) { return resetfail(); } $emailinfo = getOpts($user, emailOptList()); if ($emailinfo['STATUS'] != 'ok') { syserror(); } $ans = resetPass($user, $pass, $twofa); if ($ans['STATUS'] != 'ok') { return resetfail(); } unset($_SESSION['reset_user']); unset($_SESSION['reset_hash']); unset($_SESSION['reset_email']); $ans = expAtts($user, 'KReset'); $ok = passWasReset($email, zeip(), $emailinfo); return yok(); }
function dosettings($data, $user) { $err = ''; $chg = getparam('Change', false); $check = false; switch ($chg) { case 'EMail': $email = getparam('email', false); if (stripos($email, 'hotmail') !== false) { $err = 'hotmail not allowed'; } else { $pass = getparam('pass', false); $twofa = getparam('2fa', false); $ans = userSettings($user, $email, null, $pass, $twofa); $err = 'EMail changed'; $check = true; } break; case 'Address': if (!isset($data['info']['u_multiaddr'])) { $addr = getparam('baddr', false); $addrarr = array(array('addr' => $addr)); $pass = getparam('pass', false); $twofa = getparam('2fa', false); $ans = userSettings($user, null, $addrarr, $pass, $twofa); $err = 'Payout address changed'; $check = true; } break; case 'Password': $oldpass = getparam('oldpass', false); $pass1 = getparam('pass1', false); $pass2 = getparam('pass2', false); $twofa = getparam('2fa', false); if (!safepass($pass1)) { $err = 'Unsafe password. ' . passrequires(); } elseif ($pass1 != $pass2) { $err = "Passwords don't match"; } else { $ans = setPass($user, $oldpass, $pass1, $twofa); $err = 'Password changed'; $check = true; } break; } $doemail = false; if ($check === true) { if ($ans['STATUS'] != 'ok') { $err = $ans['STATUS']; if ($ans['ERROR'] != '') { $err .= ': ' . $ans['ERROR']; } } else { $doemail = true; } } $ans = userSettings($user); if ($ans['STATUS'] != 'ok') { dbdown(); } // Should be no other reason? if (isset($ans['email'])) { $email = $ans['email']; } else { $email = ''; } // Use the first one - updating will expire all others if (isset($ans['rows']) and $ans['rows'] > 0) { $addr = $ans['addr:0']; } else { $addr = ''; } if ($doemail) { if ($email == '') { if ($err != '') { $err .= '<br>'; } $err .= 'An error occurred, check your details below'; goto iroiroattanoyo; } $emailinfo = getOpts($user, emailOptList()); if ($emailinfo['STATUS'] != 'ok') { if ($err != '') { $err .= '<br>'; } $err .= 'An error occurred, check your details below'; goto iroiroattanoyo; } switch ($chg) { case 'EMail': if (isset($_SESSION['old_set_email'])) { $old = $_SESSION['old_set_email']; } else { $old = null; } emailAddressChanged($email, zeip(), $emailinfo, $old); break; case 'Address': payoutAddressChanged($email, zeip(), $emailinfo); break; case 'Password': passChanged($email, zeip(), $emailinfo); break; } } iroiroattanoyo: $pg = settings($data, $user, $email, $addr, $err); return $pg; }
function do2fa($data, $user) { $mailmode = ''; $err = ''; $msg = ''; $setup = getparam('Setup', false); if ($setup === 'Setup') { // rand() included as part of the entropy $ans = get2fa($user, 'setup', rand(1073741824, 2147483647), 0); $mailmode = 'Setup'; } else { $can = getparam('Cancel', false); if ($can === 'Cancel') { $ans = get2fa($user, 'untest', 0, 0); $mailmode = 'Cancel'; } else { $value = getparam('Value', false); $test = getparam('Test', false); if ($test === 'Test' and $value !== null) { $ans = get2fa($user, 'test', 0, $value); $mailmode = 'Test'; } else { $nw = getparam('New', false); if ($nw === 'New' and $value !== null) { $ans = get2fa($user, 'new', rand(1073741824, 2147483647), $value); $mailmode = 'New'; } else { $rem = getparam('Remove', false); if ($rem === 'Remove' and $value !== null) { $ans = get2fa($user, 'remove', 0, $value); $mailmode = 'Remove'; } else { $ans = get2fa($user, '', 0, 0); } } } } } if ($ans['STATUS'] != 'ok') { $err = 'DBERR'; } else { if (isset($ans['2fa_error'])) { $err = $ans['2fa_error']; } if ($mailmode != '' and $err == '') { $ans2 = userSettings($user); if ($ans2['STATUS'] != 'ok') { dbdown(); } // Should be no other reason? if (!isset($ans2['email'])) { $err = 'An error occurred, check your details below'; } else { $email = $ans2['email']; $emailinfo = getOpts($user, emailOptList()); if ($emailinfo['STATUS'] != 'ok') { $err = 'An error occurred, check your details below'; } else { if ($mailmode === 'Setup') { twofaSetup($email, zeip(), $emailinfo); } else { if ($mailmode === 'Test') { twofaEnabled($email, zeip(), $emailinfo); } else { if ($mailmode === 'New') { twofaSetup($email, zeip(), $emailinfo); } else { if ($mailmode === 'Cancel') { twofaCancel($email, zeip(), $emailinfo); } else { if ($mailmode === 'Remove') { twofaRemove($email, zeip(), $emailinfo); } } } } } } } } } if (!isset($ans['2fa_status'])) { $tfa = null; } else { $tfa = $ans['2fa_status']; } if (isset($ans['2fa_msg'])) { $msg = $ans['2fa_msg']; } $pg = set_2fa($data, $user, $tfa, $ans, $err, $msg); return $pg; }
function doreset2($data) { $user = $data['data']['user']; $email = $data['data']['email']; $emailinfo = getOpts($user, emailOptList()); if ($emailinfo['STATUS'] != 'ok') { syserror(); } $ans = getAtts($user, 'KLastReset.dateexp'); if ($ans['STATUS'] != 'ok') { syserror(); } // If the last attempt hasn't expired don't do anything but show a fake msg if (!isset($ans['KLastReset.dateexp']) || $ans['KLastReset.dateexp'] == 'Y') { // This line $code = isn't an attempt at security - // it's simply to ensure the username is readable when we get it back $code = bin2hex($data['data']['user']) . '_'; // A code that's large enough to not be worth guessing $ran = $ans['STAMP'] . $user . $email . rand(100000000, 999999999); $hash = hash('md4', $ran); $ans = setAtts($user, array('ua_KReset.str' => $hash, 'ua_KReset.date' => 'now+3600', 'ua_LastReset.date' => 'now+3600')); if ($ans['STATUS'] != 'ok') { syserror(); } $ok = passReset($email, $code . $hash, zeip(), $emailinfo); if ($ok === false) { syserror(); } } $pg = '<h1>Reset Sent</h1>'; $pg .= '<br>An Email has been sent that will allow you to'; $pg .= '<br>reset your password.'; $pg .= '<br>If you got your username or email address wrong,'; $pg .= '<br>you wont get the email.'; return $pg; }
function doaddrmgt($data, $user) { $err = ''; $OK = getparam('OK', false); $count = getparam('rows', false); $pass = getparam('pass', false); $twofa = getparam('2fa', false); $mfail = false; if ($OK == 'Save' && !nuem($count) && !nuem($pass)) { if ($count > 0 && $count < 1000) { $mfail = true; $addrarr = array(); for ($i = 0; $i < $count; $i++) { $addr = getparam('addr:' . $i, false); $nam = getparam('payname:' . $i, false); if (nuem($nam)) { $nam = ''; } $ratio = getparam('ratio:' . $i, false); if (!nuem($addr) && !nuem($ratio)) { $addrarr[] = array('addr' => $addr, 'payname' => $nam, 'ratio' => $ratio); } } $ans = userSettings($user, null, $addrarr, $pass, $twofa); if ($ans['STATUS'] != 'ok') { $err = $ans['ERROR']; } else { $ans = userSettings($user); if ($ans['STATUS'] != 'ok') { goto meh; } if (isset($ans['email'])) { $email = $ans['email']; } else { goto meh; } $emailinfo = getOpts($user, emailOptList()); if ($emailinfo['STATUS'] != 'ok') { goto meh; } else { payoutAddressChanged($email, zeip(), $emailinfo); } } $mfail = false; } } meh: if ($mfail == true) { if ($err != '') { $err .= '<br>'; } $err .= 'An error occurred, check your details below'; } $pg = addrmgtuser($data, $user, $err); return $pg; }