Esempio n. 1
0
<ul id="results" class="update"></ul>

<input type="submit" value="Compose">
<input type="submit" value="Get Fingerprint" class="search_button" alt="Select an email above and check with the person to ensure it matches their fingerprint."/>

</form><br /><br />

<?php 
// Close DB connection for recipients info query
mysql_close($connection);
// Create DB connection
$connection = connection();
// Sender's ID
$id = $_SESSION['s_id'];
// Retrieve messages for the logged in user
$msg_sql = mressf("SELECT * FROM msg WHERE recip = '%d' ORDER BY id DESC", $id);
// Execute query
$msg_sql_result = mysql_query($msg_sql, $connection) or die("Unable to execute query." . mysql_error());
// If there are messages, display those there.
if (mysql_num_rows($msg_sql_result) != "0") {
    // TODO:  Add and option to remove access for an individual.
    // In case they were sent a message by accident.
    // Alternating row colors
    $rowclass = 1 - $rowclass;
    $rowclass = 0;
    echo "<table><tr><th align=left>Date</th><th align=left>From</th><th align=left>Subject</th></tr>";
    while ($row = mysql_fetch_array($msg_sql_result)) {
        // Email info
        $msg_id = $row['id'];
        $sender = $row['sender'];
        $email = $row['email'];
Esempio n. 2
0
 // Delete temporary key files
 unlink($no_pass_temp);
 unlink($has_pass_temp);
 // salted hash to store into the db for authentication.
 $hashed = generateHash($password, $hashed_up);
 // Updated to encrypt the phone number and SMS gateway of the user.
 $phone_no = $_SESSION['s_phone'];
 // This is already in the format user@smsgateway so it is just appended here since the @ sign is the delimiter.
 $sms_gateway = $_SESSION['s_sms_gateway'];
 /** Encrypt the private key and base64_encode it to store in the database.  With the new passphrase hash */
 $sealed_priv = trim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $password, $new_password . "@" . $privateContents . "@" . $sms_gateway, MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND))));
 // DB connection
 $connection = connection();
 // Update user account information
 $id = $_SESSION['s_id'];
 $pass_sql = mressf("UPDATE users SET upass = '******', priv_key = '%s' WHERE id = '%d'", $hashed, $sealed_priv, $id);
 $pass_sql_result = mysql_query($pass_sql, $connection) or die("Unable to execute mysql query." . mysql_error());
 if ($pass_sql_result) {
     echo "Your password has been changed.<br />";
     echo "Click <a href=\"logout.php\">here</a> to login.";
     // Want to be sure these are set to null
     $upassword = "";
     $new_password = "";
     $_SESSION['s_priv_tmp'] = "";
     $_SESSION['s_pass'] = "";
     //remove all the variables in the session
     session_unset();
     $_SESSION = array();
     exit;
 } else {
     echo "Error changing your password. <a href=\"change_pass.php\">Try again</a>. 1";
Esempio n. 3
0
<?php

include 'includes/function.php';
loggedIn();
if ($_POST['to_email'] != "") {
    // Passed variable
    $user = trim($_POST['to_email']);
    // Numeric value is passed so check to be sure that is it.
    if (!preg_match("/^[0-9]{1,10}\$/", $user)) {
        die("User not found.");
    }
    $pub_connection = mysql_connect("localhost", $db_user_public, $db_user_pass) or die("Error with database connection.  Please try again.");
    mysql_select_db($db_name, $pub_connection) or die("Error selecting database.");
    /** Be sure the ID exists. */
    $check_sql = mressf("SELECT email,pub_key FROM users WHERE id = '%d'", $user);
    // Execute query
    $sql_result = mysql_query($check_sql, $pub_connection) or die("Error retrieving user." . mysql_error());
    $i = mysql_fetch_object($sql_result);
    // Pub certificate
    $pub_print = "{$i->pub_key}";
    // Check for results
    if (mysql_num_rows($sql_result) == "0") {
        echo "User not found.";
        exit;
    } else {
        echo "<b>Fingerprint for the above user is:</b> <br />";
        // Split into readable chunks of four
        print chunk_split(sha1_thumbprint($pub_print), 4);
        exit;
    }
} else {
Esempio n. 4
0
    $_SESSION['s_recip_pub'] = "";
    openssl_free_key($key);
} else {
    /** Form to send message */
    // Passed variables
    $from = $_SESSION['s_from'];
    $recip = $_SESSION['s_from'];
    $subject = $_SESSION['s_subject'];
    $msg = $_SESSION['s_message'];
    $sender = $_SESSION['s_sender'];
    // Message date
    $t_date = $_SESSION['s_time'];
    // DB connection
    $connection = connection();
    $sender_id = $_SESSION['s_id'];
    $sql = mressf("SELECT up.upub_key FROM uprofile up, users u WHERE u.id = up.user AND up.upub_key = (SELECT id FROM users WHERE email = '%s') AND up.user = '******'", $recip, $sender_id);
    $sql_query = mysql_query($sql) or die("Unable to check to determine if public key exists in your keyring.");
    if (mysql_num_rows($sql_query) == "0") {
        die("The repient's key is not in your keyring, please add it before sending a message.");
    }
    ?>

	<form method="POST" action="<?php 
    $_SERVER['PHP_SELF'];
    ?>
">

	<br />To: <?php 
    echo "{$recip}";
    ?>
 <br /><br />
Esempio n. 5
0
<?php

include 'includes/function.php';
$username = trim($_POST['username']);
$upassword = escapeshellcmd($_POST['password']);
$request_IP = $_SERVER['REMOTE_ADDR'];
if ($username == "" || $upassword == "") {
    die("Error: Please supply both a user name and a password!");
}
// Database connection
$connection = connection();
// Check to see if the user exists and provides the right password.
$sql = mressf("SELECT id,delivery,upass,pub_key,priv_key FROM users WHERE email = '%s'", $username);
// Execute the query
$sql_result = mysql_query($sql, $connection) or die("Unable to execute mysql query." . mysql_error());
// Check to see if the source IP of the request has been rate-limited, if so, throw and error and die.
// Look for the Source IP of the request in our DB, and calculate the timestamp returned + 15 minutes ( the default ban duration).
$login_attempts = mysql_query("SELECT *,TIMESTAMPDIFF(MINUTE,NOW(),ADDTIME(timestamp,'00:15:00')) AS timeleft FROM failed_logins WHERE IP_address = '" . $request_IP . "'", $connection);
if (mysql_num_rows($login_attempts) != 0) {
    // Fetch failed_login value
    $obj = mysql_fetch_object($login_attempts);
    if ($obj->attempts >= $failed_count) {
        echo "<b>Error: Too many login attempts have been made, please try again in " . $obj->timeleft . " minutes.</b>";
        exit;
    }
}
if (mysql_num_rows($sql_result) != 0) {
    // Retrieved saltine and other data from the db
    $i = mysql_fetch_object($sql_result);
    // hashed and salted pass
    $pass = $i->upass;
Esempio n. 6
0
} else {
    /** Form to send message */
    // Passed userid
    $to_email = $_POST['to_email'];
    // Check passed ID
    if (!preg_match("/^[0-9]{1,10}\$/", $to_email)) {
        die("Please enter a valid email address.");
    }
    $_SESSION['s_to_email'] = "";
    $_SESSION['s_to_email'] = $to_email;
    // Prepare MySQL connection
    $connection = connection();
    // Retrieve the ID for the user
    /** TODO: WHEN WORKING WITH MULTIPLE USERS UPDATE THIS TO CHECK TO ENSURE THE USER
    	HAS THE USER'S PUBLIC KEY BEFORE PRESENTING THE FORM. IF I DECIDE TO SUPPORT MULTIPLE USERS*/
    $sql = mressf("SELECT id,email,pub_key FROM users WHERE id = '%d'", $to_email);
    // Execute the query
    $sql_result = mysql_query($sql, $connection) or die("Unable to execute query." . mysql_error());
    // Retrieve public key for user to send email to
    $i = mysql_fetch_object($sql_result);
    $_SESSION['s_recip_pub'] = "{$i->pub_key}";
    if ($_SESSION['s_recip_pub'] == "") {
        die("Something went wrong.  Please select the receipient again. <a href=\"main_msg.php\">Back</a>");
    }
    // Retrieve the respective user's email and id in order to send the message.
    $t_email = "{$i->email}";
    $_SESSION['s_recip_email'] = "{$i->email}";
    $t_id = "{$i->id}";
    $_SESSION['s_recip_id'] = "{$i->id}";
    ?>
Esempio n. 7
0
 $sealed = base64_decode($split_msg[0]);
 // Sealed key for the recipient
 $seal_key = "{$split_msg['1']}";
 $keys_crypt = explode("|", $seal_key);
 // decode the rc4 key
 $d_seal_keys1 = base64_decode($keys_crypt[1]);
 // unseal the rc4 key
 $d_seal_keys1 = d_seal($d_seal_keys1, $key, $pass);
 // Prepare the receipient's private key to unseal the encrypted message.
 $pkeyid = openssl_get_privatekey($key, $pass);
 // unseal the message
 if (openssl_open($sealed, $unseal, $d_seal_keys1, $pkeyid)) {
     // Unset the read flag
     $connection = connection();
     // Unset the message as being read
     $unset_sql = mressf("UPDATE msg SET iread = '0' WHERE id = '%d'", $msg_id);
     $unset_sql_result = mysql_query($unset_sql, $connection);
     // Format the message to display
     echo "<br />From: {$from_sender} on {$t_time}<br />";
     echo "Subject: {$t_subject}<br />";
     // Session variables for sender and subject info
     // Need the sender's id for the reply message.
     $_SESSION['s_sender_id'] = "";
     $_SESSION['s_sender_id'] = $t_sender;
     // Sender Email
     $_SESSION['s_from'] = "";
     $_SESSION['s_from'] = $from_sender;
     // Email subject
     $_SESSION['s_subject'] = "";
     $_SESSION['s_subject'] = $t_subject;
     // Sender Public Key
Esempio n. 8
0
loggedIn();
menu();
$msg_id = trim($_GET['msg']);
// Check passed ID
if (!preg_match("/^[0-9]{1,10}\$/", $msg_id)) {
    die("Invalid message ID1.");
}
// Create db connection
$connection = connection();
// Ensure the user is authorized to delete the email.
$id = $_SESSION['s_id'];
// Ensure the user is authorized to delete the message.
$sql = mressf("SELECT id FROM msg WHERE id = '%d' AND recip = '%d'", $msg_id, $id);
// Execute the query
$sql_result = mysql_query($sql) or die("Unable to execute query." . mysql_error());
// Stop executing if the user isn't authorized to this msg.
if (mysql_num_rows($sql_result) == "0") {
    die("Invalid message ID.");
}
// Delete access to the message
// Note that the recipient's value is changed to "0".
$delete_sql = mressf("UPDATE msg SET recip = '0' WHERE id = '%d' AND recip = '%d'", $msg_id, $id);
// Execute the query
$delete_sql_result = mysql_query($delete_sql) or die("Unable to delete access to this message." . mysql_error());
if ($delete_sql_result) {
    header('Location: msg_main.php');
    exit;
} else {
    echo "<b>Fatal error! Unable to delete access to this message.</b>";
    exit;
}
Esempio n. 9
0
        }
    }
} elseif ($_POST['submit'] == "Search") {
    // Alternating row colors
    $rowclass = 1 - $rowclass;
    $rowclass = 0;
    $user = trim(htmlentities($_POST['user']));
    if ($user == "") {
        die("Please enter a search term.");
    }
    // Create db connection
    $connection = connection();
    // Select all users
    $id = $_SESSION['s_id'];
    $user = "******" . $user . "%";
    $sql = mressf("SELECT id,email,pub_key FROM users WHERE id != '%d' AND email LIKE '%s'", $id, $user);
    // Execute the query
    $sql_result = mysql_query($sql, $connection) or die("Unable to execute query." . mysql_error());
    if (mysql_num_rows($sql_result) == "0") {
        die("No results for that user.");
    }
    echo "<table><tr><th>Name</th><th>Email</th><th>Action</th></tr>";
    while ($row = mysql_fetch_array($sql_result)) {
        $id = $row['id'];
        $email = $row['email'];
        $pubkey = $row['pub_key'];
        // Sender name from Public Certificate
        $name = openssl_x509_parse($pubkey);
        $name = preg_grep("/CN/", $name);
        $name = implode("/", $name);
        $name = explode("/", $name);
Esempio n. 10
0
 // Ensure the user fills out all the appropriate fields.
 if ($email1 == "" || $password == "" || $confirm_pass == "") {
     die("<b>Please fill out all required fields!</b>");
 }
 // Validate the email address.
 include 'includes/EmailAddressValidator.php';
 $validator = new EmailAddressValidator();
 if ($validator->check_email_address($email1)) {
 } else {
     // Email not valid
     die("Invalid email address. <strong>{$email1}</strong>");
 }
 /* ################### PREVENT Duplicate accounts  ############################ */
 $connection = connection();
 // Query to check if email already exists
 $sql = mressf("SELECT email FROM users WHERE email = '%s'", $email1);
 // Execute query
 $sql_result = mysql_query($sql, $connection) or die("Error validating account.");
 // See if there are any results
 if (mysql_num_rows($sql_result) == "0") {
 } else {
     echo "<b>This email address already exists. <strong>{$email1}</strong>";
     exit;
 }
 // Check password requirements
 $test_pass = check_pass($password, $confirm_pass);
 if ($test_pass == "Strong.") {
 } else {
     echo "Your password doesn't meet all security requirements.<br />";
     echo "{$test_pass}";
     exit;