diff --git a/includes/account.php b/includes/account.php
index 1a381b8..9c928cb 100644
--- a/includes/account.php
+++ b/includes/account.php
@@ -543,6 +543,7 @@
$addy[] = $sub;
$_SESSION['_config']['addy'] = $addy;
$_SESSION['_config']['domain'] = mysql_real_escape_string($newdomain);
+ $_SESSION['_config']['httphash'] = trim(make_hash());
}
if($process != "" && $oldid == 8)
@@ -553,6 +554,27 @@
$authaddy = trim(mysql_real_escape_string(stripslashes($_REQUEST['authaddy'])));
+ if($authaddy == "http hash")
+ {
+ // get site/cacert-probe.txt and check if it contains the hash.
+ $newhash = trim(`/usr/bin/wget -O- http://"$_SESSION['_config']['domain'].'/cacert-probe.txt'"`);
+ if($newhash != $_SESSION['_config']['httphash'])
+ {
+ showheader(_("My CAcert.org Account!"));
+ echo _("The hash could not be retrieved from http://".$_SESSION['_config']['domain'].'/cacert-probe.txt , or it did not match.');
+ showfooter();
+ exit;
+ }
+ $query = "insert into `domains` set
+ `domain`='".mysql_real_escape_string($_SESSION['_config']['domain'])."',
+ `memid`='".$_SESSION['profile']['id']."',
+ `created`=NOW(), `modified`=NOW(), `hash`=''";
+ mysql_query($query);
+ showheader(_("Updated"), _("Updated"));
+ echo _("Your domain has been verified. You can now start issuing certificates for this domain.
You can remove cacert-probe.txt from your website.");
+ exit;
+ }
+
if($authaddy == "" || !is_array($_SESSION['_config']['addy']))
{
showheader(_("My CAcert.org Account!"));
diff --git a/pages/account/8.php b/pages/account/8.php
index 79448d1..f25ba7f 100644
--- a/pages/account/8.php
+++ b/pages/account/8.php
@@ -19,7 +19,14 @@