Upgrade from 0.8.7a to 0.8.7b: 'Invalid PHP_SELF Path'

chronos · Post by **chronos** » Tue Feb 12, 2008 1:11 pm

On my FreeBSD server, I've updated through the ports system from 8.7a to 8.7b and now I get the following message:

Invalid PHP_SELF Path

I also tried going to /install/index.html but it gives the same message.

This is my config.php file:

$database_type = "mysql";
$database_default = "cacti";
$database_hostname = "localhost";
$database_username = "somethingi";
$database_password = "something";
$database_port = "3306";

Thanks for helping!

fmangeant · Post by **fmangeant** » Tue Feb 12, 2008 2:23 pm

Hi

I had the same error when "beta testing" 0.8.7b, but it was fixed.

Can you add this to include/global.php before the "Sanity Check on 'Corrupt' PHP_SELF" block :

Code: Select all

print "<pre>";
print_r($_SERVER);
print "</pre>";

and post the result ?

megaman · Post by **megaman** » Tue Feb 12, 2008 5:36 pm

I am using FreeBSD too.

Here is the result after adding your code :

Code: Select all

Array
(
    [DOCUMENT_ROOT] => /usr/local/www/data
    [HTTP_ACCEPT] => text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    [HTTP_ACCEPT_CHARSET] => iso-8859-1, utf-8, utf-16, *;q=0.1
    [HTTP_ACCEPT_ENCODING] => deflate, gzip, x-gzip, identity, *;q=0
    [HTTP_ACCEPT_LANGUAGE] => fr,en;q=0.9,ja;q=0.8,de;q=0.7,es;q=0.6,it;q=0.5,nl;q=0.4,sv;q=0.3,nb;q=0.2
    [HTTP_CACHE_CONTROL] => no-cache
    [HTTP_CONNECTION] => Keep-Alive, TE
    [HTTP_TE] => deflate, gzip, chunked, identity, trailers
    [PATH] => /sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin:/root/bin
    [REMOTE_ADDR] => 192.168.0.254
    [REMOTE_PORT] => 57188
    [SCRIPT_FILENAME] => /usr/local/share/cacti/index.php
    [SERVER_ADDR] => 192.168.0.1
    [SERVER_ADMIN] => you@your.address
    [SERVER_PORT] => 80
    [SERVER_SIGNATURE] => 
    [SERVER_SOFTWARE] => Apache
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_PROTOCOL] => HTTP/1.1
    [REQUEST_METHOD] => GET
    [QUERY_STRING] => 
    [REQUEST_URI] => /stats/index.php
    [SCRIPT_NAME] => /stats/index.php
    [PATH_TRANSLATED] => /usr/local/share/cacti/index.php
    [PHP_SELF] => /stats/index.php
    [REQUEST_TIME] => 1202855203
    [argv] => Array
        (
        )

    [argc] => 0
)

(I removed some variables about cookies and email address)

edit:
after looking to the code, I think it is a problem linked with the aliases' configuration of apache

mine is "alias /stats/ /usr/local/share/cacti/", and the tests done in global.php cant rebuild this path (or validate it)

megaman · Post by **megaman** » Tue Feb 12, 2008 5:52 pm

A temporary solution would be to edit global.php like that :

comment this line:

Code: Select all

if (!((is_file($_SERVER["SCRIPT_FILENAME"])) && (substr_count($_SERVER["SCRIPT_FILENAME"], $_SERVER["PHP_SELF"])))) {

add just under it:

Code: Select all

                        if (!((is_file($_SERVER["SCRIPT_FILENAME"])))) {

but I dont know if this is secure or not, at least cacti is working again

ben_c · Post by **ben_c** » Tue Feb 12, 2008 8:02 pm

Hm, I might hold off on applying those patches for .7b based on this thread!

chronos · Post by **chronos** » Tue Feb 12, 2008 9:28 pm

megaman wrote:A temporary solution would be to edit global.php like that :

comment this line:
Code: Select all
if (!((is_file($_SERVER["SCRIPT_FILENAME"])) && (substr_count($_SERVER["SCRIPT_FILENAME"], $_SERVER["PHP_SELF"])))) {
add just under it:
Code: Select all
                        if (!((is_file($_SERVER["SCRIPT_FILENAME"])))) {
but I dont know if this is secure or not, at least cacti is working again

This does indeed work, but I hate modifying the code in that way to make things work. I hope they release a 0.8.7c version that really fixes the issue.

Thanks!

davebassjunkie · Post by **davebassjunkie** » Tue Feb 12, 2008 11:44 pm

I'm getting the same error from applying the patch for 0.8.7a (multiple_vulnerabilities-0.8.7a.patch)

I'm not going to remove that line from the code, as that stops one of the XSS attacks that are the problem.

I have in my httpd.conf file in regards to the alias:

Alias /cacti "/local/cacti/"

Has anyone found a workaround that does not require removing an alias or taking out the security part?

fmangeant · Post by **fmangeant** » Wed Feb 13, 2008 3:07 am

I've sent a PM to Larry about this error, which was supposed to be corrected in final release of 0.8.7b

(and I also renamed the first post)

Gamb · Post by **Gamb** » Wed Feb 13, 2008 4:21 am

Hello,

I have same problem with $_SERVER["PHP_SELF"] :

Code: Select all

Warning: is_file() [function.is-file]: open_basedir restriction in effect. File(/graph_view.php) is not within the allowed path(s): (/tmp:/usr/bin:/home/www/sessions:/usr/share/pear:/home/www/cacti:/usr/local/spine) in /home/www/cacti-0.8.7b/include/global.php on line 112

Just replace this condition :

Code: Select all

if ((!is_file($_SERVER["PHP_SELF"])) && (!is_file($config["base_path"] . '/' . $_SERVER["PHP_SELF"]))) {

With this :

Code: Select all

if (!is_file($config["base_path"] . '/' . $_SERVER["PHP_SELF"])) {

Post by **TheWitness** » Wed Feb 13, 2008 6:59 am

I will send a note to the remainder of the developers. Those experiencing this problem need to post their tech support pages for me. Also, please post an error's you are getting in your Apache log.

In the mean time, apply the workaround. I believe that there may be no one solution to this issue.

Regards,

Larry

chronos · Post by **chronos** » Wed Feb 13, 2008 7:58 am

Here's my _SERVER array:

Array
(
[UNIQUE_ID] => ss00HMCoAQoAAEZzUy4AAAAJ
[HTTP_HOST] => www.clkroot.net
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
[HTTP_ACCEPT] => text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
[HTTP_ACCEPT_LANGUAGE] => en-us,en;q=0.5
[HTTP_ACCEPT_ENCODING] => gzip,deflate
[HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7
[HTTP_KEEP_ALIVE] => 300
[HTTP_CONNECTION] => keep-alive
[HTTP_COOKIE] => ************
[PATH] => /sbin:/bin:/usr/sbin:/usr/bin
[SERVER_SIGNATURE] =>
[SERVER_SOFTWARE] => Apache/2.2.8 (FreeBSD) mod_ssl/2.2.8 OpenSSL/0.9.8e DAV/2 PHP/5.2.5 with Suhosin-Patch mod_scgi/1.12
[SERVER_NAME] => www.clkroot.net
[SERVER_ADDR] => 192.168.1.10
[SERVER_PORT] => 80
[REMOTE_ADDR] => 81.85.237.5
[DOCUMENT_ROOT] => /usr/local/www/wordpress
[SERVER_ADMIN] => **************
[SCRIPT_FILENAME] => /usr/local/share/cacti/index.php
[REMOTE_PORT] => 53845
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_PROTOCOL] => HTTP/1.1
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[REQUEST_URI] => /sys_cacti/
[SCRIPT_NAME] => /sys_cacti/index.php
[PHP_SELF] => /sys_cacti/index.php
[REQUEST_TIME] => 1202907375
)

And my alias in my httpd.conf:
Alias /sys_cacti/ "/usr/local/share/cacti/"

fmangeant · Post by **fmangeant** » Wed Feb 13, 2008 8:38 am

I can reproduice the problem by installing Cacti 0.8.7b in /home/cactiuser/test, with an Apache directory /foo :

Invalid PHP_SELF Path

It seems that if the Apache directory name is not included in the directory's name where Cacti is installed, the substr_count($_SERVER["SCRIPT_FILENAME"], $_SERVER["PHP_SELF"]) function will fail.

We're now 3 in this thread having the same issue :

SCRIPT_FILENAME => /usr/local/share/cacti/index.php , PHP_SELF => /stats/index.php
SCRIPT_FILENAME => /usr/local/share/cacti/index.php , PHP_SELF => /sys_cacti/index.php
SCRIPT_FILENAME => /home/cactiuser/test/index.php , PHP_SELF => /foo/index.php

dvl · Post by **dvl** » Wed Feb 13, 2008 10:08 am

Gamb wrote:
Just replace this condition :
Code: Select all
if ((!is_file($_SERVER["PHP_SELF"])) && (!is_file($config["base_path"] . '/' . $_SERVER["PHP_SELF"]))) {
With this :
Code: Select all
if (!is_file($config["base_path"] . '/' . $_SERVER["PHP_SELF"])) {

That fix does not work for me. Some part below have been edited.

(
[DOCUMENT_ROOT] => /usr/websites/default/www
[HTTP_ACCEPT] => text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
[HTTP_ACCEPT_CHARSET] => iso-8859-1, utf-8, utf-16, *;q=0.1
[HTTP_ACCEPT_ENCODING] => deflate, gzip, x-gzip, identity, *;q=0
[HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.9
[HTTP_CACHE_CONTROL] => no-cache
[HTTP_CONNECTION] => Keep-Alive, TE
[HTTP_COOKIE] => PHPSESSID=*removed*; clickedFoldert2=1%5E; highlightedTreeviewLinkt2=2
[HTTP_COOKIE2] => $Version=1
[HTTP_HOST] => *removed*
[HTTP_TE] => deflate, gzip, chunked, identity, trailers
[HTTP_USER_AGENT] => Opera/9.25 (X11; FreeBSD 6 i386; U; en)
[PATH] => /sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin:/home/dan/bin
[REDIRECT_STATUS] => 200
[REDIRECT_UNIQUE_ID] => R7MHY0CTcSoAAWjNdz4
[REDIRECT_URL] => /cacti/
[REMOTE_ADDR] => 72.*removed*
[REMOTE_PORT] => 56795
[SCRIPT_FILENAME] => /usr/local/share/cacti//index.php
[SERVER_ADDR] => 64.*removed*
[SERVER_ADMIN] => dan@example.org
[SERVER_NAME] => 127.0.0.1
[SERVER_PORT] => 80
[SERVER_SIGNATURE] =>
[SERVER_SOFTWARE] => Apache
[UNIQUE_ID] => R7MHY0CTcSoAAWjNdz4
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_PROTOCOL] => HTTP/1.1
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[REQUEST_URI] => /cacti/
[SCRIPT_NAME] => /cacti/index.php
[PATH_TRANSLATED] => /usr/local/share/cacti//index.php
[PHP_SELF] => /cacti/index.php
[REQUEST_TIME] => 1202915171
[argv] => Array
(
)

[argc] => 0
)

fmangeant · Post by **fmangeant** » Wed Feb 13, 2008 10:10 am

Modification by megaman worked for me : http://forums.cacti.net/viewtopic.php?p=125940#125940

alepot · Post by **alepot** » Wed Feb 13, 2008 8:26 pm

fmangeant wrote:
We're now 3 in this thread having the same issue :
SCRIPT_FILENAME => /usr/local/share/cacti/index.php , PHP_SELF => /stats/index.php

SCRIPT_FILENAME => /usr/local/share/cacti/index.php , PHP_SELF => /sys_cacti/index.php

SCRIPT_FILENAME => /home/cactiuser/test/index.php , PHP_SELF => /foo/index.php

Make that 4, although I had a different solution. My system was 0.8.7a, patched today with the latest patches.

Previouisly, I had always aliased /cacti in apache. Replacing the alias with a symlink in DocumentRoot got it working again.

Is this an Apache issue or a PHP issue?

Alex

Array
(
[HTTP_HOST] => moon
[HTTP_USER_AGENT] => Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12) Gecko/20080207 Ubuntu/7.10 (gutsy) Firefox/2.0.0.12
[HTTP_ACCEPT] => text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
[HTTP_ACCEPT_LANGUAGE] => en-gb,en;q=0.5
[HTTP_ACCEPT_ENCODING] => gzip,deflate
[HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7
[HTTP_KEEP_ALIVE] => 300
[HTTP_CONNECTION] => keep-alive
[PATH] => /usr/local/bin:/usr/bin:/bin
[SERVER_SIGNATURE] =>
Apache Server at moon.apcuk.dyndns.org Port 80

[SERVER_SOFTWARE] => Apache
[SERVER_NAME] => moon.apcuk.dyndns.org
[SERVER_ADDR] => 192.168.2.1
[SERVER_PORT] => 80
[REMOTE_ADDR] => 192.168.200.5
[DOCUMENT_ROOT] => /var/www/htdocs
[SERVER_ADMIN] => webmaster@ap-consulting.co.uk
[SCRIPT_FILENAME] => /usr/share/cacti-0.8.7a/index.php
[REMOTE_PORT] => 51294
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_PROTOCOL] => HTTP/1.1
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[REQUEST_URI] => /cacti/
[SCRIPT_NAME] => /cacti/index.php
[PHP_SELF] => /cacti/index.php
[REQUEST_TIME] => 1202950839
[argv] => Array
(
)

[argc] => 0
)

Invalid PHP_SELF Path

Cacti

Upgrade from 0.8.7a to 0.8.7b: 'Invalid PHP_SELF Path'

Upgrade from 0.8.7a to 0.8.7b: 'Invalid PHP_SELF Path'

Broken on FreeBSD too...

Who is online