Upgrade from 0.8.7a to 0.8.7b: 'Invalid PHP_SELF Path'
Moderators: Developers, Moderators
-
- Posts: 42
- Joined: Sun Jul 09, 2006 1:51 am
- Location: detroit'ish
- Contact:
- fmangeant
- Cacti Guru User
- Posts: 2345
- Joined: Fri Sep 19, 2003 8:36 am
- Location: Sophia-Antipolis, France
- Contact:
Hi
please see megaman's post on 1st page.
please see megaman's post on 1st page.
[size=84]
[color=green]HOWTOs[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15353]Install and configure the Net-SNMP agent for Unix[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=26151]Install and configure the Net-SNMP agent for Windows[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=28175]Graph multiple servers using an SNMP proxy[/url][/list]
[color=green]Templates[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15412]Multiple CPU usage for Linux[/url]
[*][url=http://forums.cacti.net/viewtopic.php?p=125152]Memory & swap usage for Unix[/url][/list][/size]
[color=green]HOWTOs[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15353]Install and configure the Net-SNMP agent for Unix[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=26151]Install and configure the Net-SNMP agent for Windows[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=28175]Graph multiple servers using an SNMP proxy[/url][/list]
[color=green]Templates[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15412]Multiple CPU usage for Linux[/url]
[*][url=http://forums.cacti.net/viewtopic.php?p=125152]Memory & swap usage for Unix[/url][/list][/size]
I have the same issue. I installed the Ubuntu package of Cacti and since the latest package upgrade, I get the 'Invalid PHP_SELF' error.
As stated above in this thread, the error is most likely due to the fact that some distributions place the PHP code in a special directory, and use an Apache alias /cacti to map the entry URL to the location of the code (which is not in your Apache document root).
The easiest way to fix this, without having to fiddle with the PHP code, is to make a symlink.
First, locate your apache config that came with your Cacti installation package. If you did it by hand, then you most likely know where it is. Otherwise, /etc/cacti is usually a safe bet.
My installation of Ubuntu puts it in /etc/cacti/apache.conf
Open the file with an editor, and see if there is a Alias directive. Ubuntu uses the following:
Comment this out by putting a hash in front of the line:
Now go to your Apache document root. On Ubuntu, this is /var/www. Once there, create a symlink to the Cacti installation directory (you might have to be root to do this):
Now, reload your Apache config. Ubuntu uses the following command (this needs to be done as root):
Browse to http://your-server/cacti . Fixed.
As stated above in this thread, the error is most likely due to the fact that some distributions place the PHP code in a special directory, and use an Apache alias /cacti to map the entry URL to the location of the code (which is not in your Apache document root).
The easiest way to fix this, without having to fiddle with the PHP code, is to make a symlink.
First, locate your apache config that came with your Cacti installation package. If you did it by hand, then you most likely know where it is. Otherwise, /etc/cacti is usually a safe bet.
My installation of Ubuntu puts it in /etc/cacti/apache.conf
Open the file with an editor, and see if there is a Alias directive. Ubuntu uses the following:
Code: Select all
Alias /cacti /usr/share/cacti/site
Code: Select all
#Alias /cacti /usr/share/cacti/site
Code: Select all
$ cd /var/www
$ ln -s /usr/share/cacti/site cacti
Code: Select all
$ /etc/init.d/apache2 reload
downgrade will help to solve problem
procedure on ubuntu:
1. check version now and before
"apt-cache policy cacti"
2.you will get something like that ( screen after downgrade)
"cacti:
Installed: 0.8.6j-1.1
Candidate: 0.8.6j-1.1ubuntu0.2
Version table:
0.8.6j-1.1ubuntu0.2 0
500 http://security.ubuntu.com gutsy-security/universe Packages
*** 0.8.6j-1.1 0
500 http://us.archive.ubuntu.com gutsy/universe Packages
100 /var/lib/dpkg/status
"
3.then downgrade picking lower version like
"apt-get install cacti=0.8.6j-1.1"
1. check version now and before
"apt-cache policy cacti"
2.you will get something like that ( screen after downgrade)
"cacti:
Installed: 0.8.6j-1.1
Candidate: 0.8.6j-1.1ubuntu0.2
Version table:
0.8.6j-1.1ubuntu0.2 0
500 http://security.ubuntu.com gutsy-security/universe Packages
*** 0.8.6j-1.1 0
500 http://us.archive.ubuntu.com gutsy/universe Packages
100 /var/lib/dpkg/status
"
3.then downgrade picking lower version like
"apt-get install cacti=0.8.6j-1.1"
This worked for me
I think ill wait a while before i try to upgrade cacti again.
Code: Select all
root@monitor:~# apt-cache policy cacti
cacti:
Installed: 0.8.6i-3ubuntu0.2
Candidate: 0.8.6i-3ubuntu0.2
Version table:
*** 0.8.6i-3ubuntu0.2 0
500 http://security.ubuntu.com feisty-security/universe Packages
100 /var/lib/dpkg/status
0.8.6i-3 0
500 http://nz.archive.ubuntu.com feisty/universe Packages
root@monitor:~# apt-get install cacti=0.8.6i-3
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be DOWNGRADED:
cacti
0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.
Need to get 955kB of archives.
After unpacking 0B of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://nz.archive.ubuntu.com feisty/universe cacti 0.8.6i-3 [955kB]
Fetched 955kB in 1s (884kB/s)
Preconfiguring packages ...
dpkg - warning: downgrading cacti from 0.8.6i-3ubuntu0.2 to 0.8.6i-3.
(Reading database ... 94050 files and directories currently installed.)
Preparing to replace cacti 0.8.6i-3ubuntu0.2 (using .../cacti_0.8.6i-3_all.deb) ...
Unpacking replacement cacti ...
Setting up cacti (0.8.6i-3) ...
dbconfig-common: writing config to /etc/dbconfig-common/cacti.conf
Replacing config file /etc/cacti/debian.php with new version
dbconfig-common: flushing administrative password
* Reloading web server config... 24325
[ OK ]
I think ill wait a while before i try to upgrade cacti again.
Hi,
i've the same problem on debian.
installed 0.8.6i-3.2 via apt-get
and upgraded to 0.8.7b
tried all your hints here but i'll get the error
and i can't log in.
Can anyone help?
thanks
i've the same problem on debian.
installed 0.8.6i-3.2 via apt-get
and upgraded to 0.8.7b
tried all your hints here but i'll get the error
Code: Select all
Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 121
Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 122
Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 123
Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 124
Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 125
Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 129
Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 129
Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/auth_login.php on line 201
Can anyone help?
thanks
-
- Posts: 5
- Joined: Tue Aug 12, 2008 5:14 am
Hi
I followed all this topic but i have the same problem before install.
when i modified global.php file, i have a blank page.
Without change in global, i have "Invalid PHP_SELF Path".
With symbolic link, i have : The requested URL /cacti/index.php was not found on this server.
i cannot access to setup page.
I'm on RHEL 5 64 bits with cacti 0.8.7B
thanks
I followed all this topic but i have the same problem before install.
when i modified global.php file, i have a blank page.
Without change in global, i have "Invalid PHP_SELF Path".
With symbolic link, i have : The requested URL /cacti/index.php was not found on this server.
i cannot access to setup page.
I'm on RHEL 5 64 bits with cacti 0.8.7B
thanks
-
- Posts: 5
- Joined: Tue Aug 12, 2008 5:14 am
i applied all patchs which are here : http://www.cacti.net/download_patches.php
Another situation where the PHP_SELF test fails:
(sorted by megaman's workaround)
I've not seen any comment (here, svn or bugzilla) on what security issues this block is supposed to fix - is there an explanation somewhere? The tests look to be conflating the filesystem path with the URL path, without taking into account likely differences like aliasing.
Code: Select all
[DOCUMENT_ROOT] => /usr/local/cacti/
[SCRIPT_FILENAME] => /home/jmb/public_html/cacti/cacti-0.8.7b/graph_view.php
[PHP_SELF] => /~jmb/cacti/cacti-0.8.7b/graph_view.php
I've not seen any comment (here, svn or bugzilla) on what security issues this block is supposed to fix - is there an explanation somewhere? The tests look to be conflating the filesystem path with the URL path, without taking into account likely differences like aliasing.
- oxo-oxo
- Cacti User
- Posts: 126
- Joined: Thu Aug 30, 2007 11:35 am
- Location: Silkeborg, Denmark
- Contact:
I caught this as well, I am using openSuSE and using alias , using svn code for Version 0.8.7c
I hit this problem on my newly installed portable, openSuSe, and need alias's to allow me access to released and beta code (I alias into the full SVN),
Referance:
"XSS protection etc"
- http://www.ush.it/team/ush/hack-cacti087a/cacti.txt
http://www.phpbbdoctor.com/blog/2007/01 ... -php_self/
From browser:
From my own alias problem
NB
__FILE__ refers to global.php
[SCRIPT_FILENAME] refers to index.php
Here, I have an alias called beta that points to a Cacti branch of svn
- PHP_SELF will fail with the global.php code check
I hit this problem on my newly installed portable, openSuSe, and need alias's to allow me access to released and beta code (I alias into the full SVN),
Referance:
"XSS protection etc"
- http://www.ush.it/team/ush/hack-cacti087a/cacti.txt
http://www.phpbbdoctor.com/blog/2007/01 ... -php_self/
Code: Select all
owen@linux-8sua:/> cat /home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php
<?php
echo "\n<pre>\n";
echo __FILE__ ." __FILE__\n";
echo $_SERVER['SCRIPT_NAME'] . " SCRIPT_NAME\n";
echo $_SERVER['SCRIPT_FILENAME'] . " SCRIPT_FILENAME\n";
echo $_SERVER['PHP_SELF'] . " PHP_SELF\n";
echo "\n</pre>\n";
?>
owen@linux-8sua:/> php5 /home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php
<pre>
/home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php __FILE__
/home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php SCRIPT_NAME
/home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php SCRIPT_FILENAME
/home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php PHP_SELF
</pre>
Code: Select all
/home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php __FILE__
/cactibeta/test.php SCRIPT_NAME
/home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php SCRIPT_FILENAME
/cactibeta/test.php PHP_SELF
NB
__FILE__ refers to global.php
[SCRIPT_FILENAME] refers to index.php
Here, I have an alias called beta that points to a Cacti branch of svn
- PHP_SELF will fail with the global.php code check
Code: Select all
[SCRIPT_FILENAME] => /home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/index.php
[SCRIPT_NAME] => /beta/index.php
[PHP_SELF] => /beta/index.php
Code: Select all
__FILE__ is /home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/include/global.php
Array
(
[HTTP_HOST] => 127.0.0.1
[HTTP_USER_AGENT] => Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.0.3) Gecko/2008091700 SUSE/3.0.3-1.1 Firefox/3.0.3
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[HTTP_ACCEPT_LANGUAGE] => en-gb,en;q=0.5
[HTTP_ACCEPT_ENCODING] => gzip,deflate
[HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7
[HTTP_KEEP_ALIVE] => 300
[HTTP_CONNECTION] => keep-alive
[HTTP_COOKIE] => highlightedTreeviewLinkt2=3; clickedFoldert2=1%5E2%5E3%5E; clickedFolder=; fs=Graph_Management@@o!User_Login_History@@o!Log_File_Filters@@o!Devices@@o!Associated_Data_Queries@@o!Associated_Graph_Templates@@o!Localhost127_0_0_1@@o!Data_Sources@@o; navbar_id=console; menu=!utilities@@o!configuration@@o!importexport@@o!presets@@o!templates@@o!data_collection@@o!management@@o!create@@o; Cacti=1vmkk0c5skk8ilbj624s1nahhorvavvv
[HTTP_CACHE_CONTROL] => max-age=0
[PATH] => /usr/sbin:/bin:/usr/bin:/sbin
[SERVER_SIGNATURE] =>
Apache/2.2.8 (Linux/SUSE) Server at 127.0.0.1 Port 80
[SERVER_SOFTWARE] => Apache/2.2.8 (Linux/SUSE)
[SERVER_NAME] => 127.0.0.1
[SERVER_ADDR] => 127.0.0.1
[SERVER_PORT] => 80
[REMOTE_ADDR] => 127.0.0.1
[DOCUMENT_ROOT] => /srv/www/htdocs
[SERVER_ADMIN] => yyy@localhost
[SCRIPT_FILENAME] => /home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/index.php
[REMOTE_PORT] => 41698
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_PROTOCOL] => HTTP/1.1
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[REQUEST_URI] => /beta/
[SCRIPT_NAME] => /beta/index.php
[PHP_SELF] => /beta/index.php
[REQUEST_TIME] => 1223982371
)
Invalid PHP_SELF Path
Last edited by oxo-oxo on Fri Oct 17, 2008 2:46 pm, edited 6 times in total.
Owen Brotherwood, JN Data A/S, Denmark.
- oxo-oxo
- Cacti User
- Posts: 126
- Joined: Thu Aug 30, 2007 11:35 am
- Location: Silkeborg, Denmark
- Contact:
The sanity check
Using http://www.phpbbdoctor.com/blog/2007/01 ... -php_self/ as a referance as to why not to use PHP_SELF, all the code is probably not relevant as long as PHP_SELF code is not used elsewhere
Unfortunatly, PHP_SELF is used a lot in the code: so open to misuse of PHP_SELF.
- so PHP_SELF needs to be checked so the code can use it without being changed.
Unfortunatly, PHP_SELF is used a lot in the code: so open to misuse of PHP_SELF.
- so PHP_SELF needs to be checked so the code can use it without being changed.
Code: Select all
/* Sanity Check on "Corrupt" PHP_SELF */
if ($_SERVER["SCRIPT_NAME"] != $_SERVER["PHP_SELF"]) {
echo "\nInvalid PHP_SELF Path \n";
exit;
}
Last edited by oxo-oxo on Wed Oct 15, 2008 6:50 pm, edited 1 time in total.
Owen Brotherwood, JN Data A/S, Denmark.
Who is online
Users browsing this forum: No registered users and 2 guests