Upgrade from 0.8.7a to 0.8.7b: 'Invalid PHP_SELF Path'

[sllywhtboy]

wasca's fix worked for me. thanks!

[william]

guys I'm running on FreeBsd, new install of cacti 7b all went fine. But when I try to browse to it I get the PHP SELF error. What can I do to fix?

[fmangeant]

Hi

please see megaman's post on 1st page.

[william]

Thank you that did the trick!

[Ajunne]

I have the same issue. I installed the Ubuntu package of Cacti and since the latest package upgrade, I get the 'Invalid PHP_SELF' error.

As stated above in this thread, the error is most likely due to the fact that some distributions place the PHP code in a special directory, and use an Apache alias /cacti to map the entry URL to the location of the code (which is not in your Apache document root).

The easiest way to fix this, without having to fiddle with the PHP code, is to make a symlink.

First, locate your apache config that came with your Cacti installation package. If you did it by hand, then you most likely know where it is. Otherwise, /etc/cacti is usually a safe bet.

My installation of Ubuntu puts it in /etc/cacti/apache.conf

Open the file with an editor, and see if there is a Alias directive. Ubuntu uses the following:

Code: Select all

Alias /cacti /usr/share/cacti/site

Comment this out by putting a hash in front of the line:

Code: Select all

#Alias /cacti /usr/share/cacti/site

Now go to your Apache document root. On Ubuntu, this is /var/www. Once there, create a symlink to the Cacti installation directory (you might have to be root to do this):

Code: Select all

$ cd /var/www
$ ln -s /usr/share/cacti/site cacti

Now, reload your Apache config. Ubuntu uses the following command (this needs to be done as root):

Code: Select all

$ /etc/init.d/apache2 reload

Browse to http://your-server/cacti . Fixed.

[blihtar]

procedure on ubuntu:

1. check version now and before
"apt-cache policy cacti"

2.you will get something like that ( screen after downgrade)
"cacti:
Installed: 0.8.6j-1.1
Candidate: 0.8.6j-1.1ubuntu0.2
Version table:
0.8.6j-1.1ubuntu0.2 0
500 http://security.ubuntu.com gutsy-security/universe Packages
*** 0.8.6j-1.1 0
500 http://us.archive.ubuntu.com gutsy/universe Packages
100 /var/lib/dpkg/status
"

3.then downgrade picking lower version like
"apt-get install cacti=0.8.6j-1.1"

[falconz]

This worked for me

Code: Select all

root@monitor:~# apt-cache policy cacti
cacti:
  Installed: 0.8.6i-3ubuntu0.2
  Candidate: 0.8.6i-3ubuntu0.2
  Version table:
 *** 0.8.6i-3ubuntu0.2 0
        500 http://security.ubuntu.com feisty-security/universe Packages
        100 /var/lib/dpkg/status
     0.8.6i-3 0
        500 http://nz.archive.ubuntu.com feisty/universe Packages
root@monitor:~# apt-get install cacti=0.8.6i-3
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be DOWNGRADED:
  cacti
0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.
Need to get 955kB of archives.
After unpacking 0B of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://nz.archive.ubuntu.com feisty/universe cacti 0.8.6i-3 [955kB]
Fetched 955kB in 1s (884kB/s)
Preconfiguring packages ...
dpkg - warning: downgrading cacti from 0.8.6i-3ubuntu0.2 to 0.8.6i-3.
(Reading database ... 94050 files and directories currently installed.)
Preparing to replace cacti 0.8.6i-3ubuntu0.2 (using .../cacti_0.8.6i-3_all.deb) ...
Unpacking replacement cacti ...
Setting up cacti (0.8.6i-3) ...
dbconfig-common: writing config to /etc/dbconfig-common/cacti.conf
Replacing config file /etc/cacti/debian.php with new version
dbconfig-common: flushing administrative password
 * Reloading web server config...                                               24325
                                                                         [ OK ]

I think ill wait a while before i try to upgrade cacti again.

[st0kes]

One more person here with this problem.

Upgraded the Cacti package using apt (Ubuntu Gusty) and the error appeared.

Thank you very much Ajunne for the fix - that did the trick.

[savar]

Hi,

i've the same problem on debian.

installed 0.8.6i-3.2 via apt-get

and upgraded to 0.8.7b

tried all your hints here but i'll get the error

Code: Select all

Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 121

Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 122

Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 123

Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 124

Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 125

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 129

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 129

Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/auth_login.php on line 201

and i can't log in.

Can anyone help?

thanks

[Priceadmin]

Hi

I followed all this topic but i have the same problem before install.

when i modified global.php file, i have a blank page.

Without change in global, i have "Invalid PHP_SELF Path".

With symbolic link, i have : The requested URL /cacti/index.php was not found on this server.

i cannot access to setup page.

I'm on RHEL 5 64 bits with cacti 0.8.7B

thanks

[Priceadmin]

i applied all patchs which are here : http://www.cacti.net/download_patches.php

[Priceadmin]

Hi,

i downgrade to 0.8.7a and it works.

[jmb]

Another situation where the PHP_SELF test fails:

Code: Select all

    [DOCUMENT_ROOT] => /usr/local/cacti/
    [SCRIPT_FILENAME] => /home/jmb/public_html/cacti/cacti-0.8.7b/graph_view.php
    [PHP_SELF] => /~jmb/cacti/cacti-0.8.7b/graph_view.php

(sorted by megaman's workaround)

I've not seen any comment (here, svn or bugzilla) on what security issues this block is supposed to fix - is there an explanation somewhere? The tests look to be conflating the filesystem path with the URL path, without taking into account likely differences like aliasing.

[oxo-oxo]

I caught this as well, I am using openSuSE and using alias , using svn code for Version 0.8.7c
I hit this problem on my newly installed portable, openSuSe, and need alias's to allow me access to released and beta code (I alias into the full SVN),

Referance:
"XSS protection etc"
- http://www.ush.it/team/ush/hack-cacti087a/cacti.txt

http://www.phpbbdoctor.com/blog/2007/01 ... -php_self/

Code: Select all

owen@linux-8sua:/> cat /home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php
<?php
echo "\n<pre>\n";
echo __FILE__ ." __FILE__\n";
echo $_SERVER['SCRIPT_NAME'] . " SCRIPT_NAME\n";
echo $_SERVER['SCRIPT_FILENAME'] . " SCRIPT_FILENAME\n";
echo $_SERVER['PHP_SELF'] . " PHP_SELF\n";
echo "\n</pre>\n";
?>
owen@linux-8sua:/> php5 /home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php

<pre>
/home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php __FILE__
/home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php SCRIPT_NAME
/home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php SCRIPT_FILENAME
/home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php PHP_SELF

</pre>

From browser:

Code: Select all

/home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php __FILE__
/cactibeta/test.php SCRIPT_NAME
/home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php SCRIPT_FILENAME
/cactibeta/test.php PHP_SELF

From my own alias problem
NB
__FILE__ refers to global.php
[SCRIPT_FILENAME] refers to index.php

Here, I have an alias called beta that points to a Cacti branch of svn
- PHP_SELF will fail with the global.php code check

Code: Select all

    [SCRIPT_FILENAME] => /home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/index.php
    [SCRIPT_NAME] => /beta/index.php 
    [PHP_SELF] => /beta/index.php 

Code: Select all

__FILE__ is /home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/include/global.php
Array
(
    [HTTP_HOST] => 127.0.0.1
    [HTTP_USER_AGENT] => Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.0.3) Gecko/2008091700 SUSE/3.0.3-1.1 Firefox/3.0.3
    [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    [HTTP_ACCEPT_LANGUAGE] => en-gb,en;q=0.5
    [HTTP_ACCEPT_ENCODING] => gzip,deflate
    [HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7
    [HTTP_KEEP_ALIVE] => 300
    [HTTP_CONNECTION] => keep-alive
    [HTTP_COOKIE] => highlightedTreeviewLinkt2=3; clickedFoldert2=1%5E2%5E3%5E; clickedFolder=; fs=Graph_Management@@o!User_Login_History@@o!Log_File_Filters@@o!Devices@@o!Associated_Data_Queries@@o!Associated_Graph_Templates@@o!Localhost127_0_0_1@@o!Data_Sources@@o; navbar_id=console; menu=!utilities@@o!configuration@@o!importexport@@o!presets@@o!templates@@o!data_collection@@o!management@@o!create@@o; Cacti=1vmkk0c5skk8ilbj624s1nahhorvavvv
    [HTTP_CACHE_CONTROL] => max-age=0
    [PATH] => /usr/sbin:/bin:/usr/bin:/sbin
    [SERVER_SIGNATURE] => 
Apache/2.2.8 (Linux/SUSE) Server at 127.0.0.1 Port 80


    [SERVER_SOFTWARE] => Apache/2.2.8 (Linux/SUSE)
    [SERVER_NAME] => 127.0.0.1
    [SERVER_ADDR] => 127.0.0.1
    [SERVER_PORT] => 80
    [REMOTE_ADDR] => 127.0.0.1
    [DOCUMENT_ROOT] => /srv/www/htdocs
    [SERVER_ADMIN] => yyy@localhost
    [SCRIPT_FILENAME] => /home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/index.php
    [REMOTE_PORT] => 41698
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_PROTOCOL] => HTTP/1.1
    [REQUEST_METHOD] => GET
    [QUERY_STRING] => 
    [REQUEST_URI] => /beta/
    [SCRIPT_NAME] => /beta/index.php
    [PHP_SELF] => /beta/index.php
    [REQUEST_TIME] => 1223982371
)

Invalid PHP_SELF Path 

[oxo-oxo]

Using http://www.phpbbdoctor.com/blog/2007/01 ... -php_self/ as a referance as to why not to use PHP_SELF, all the code is probably not relevant as long as PHP_SELF code is not used elsewhere

Unfortunatly, PHP_SELF is used a lot in the code: so open to misuse of PHP_SELF.
- so PHP_SELF needs to be checked so the code can use it without being changed.

Code: Select all

        /* Sanity Check on "Corrupt" PHP_SELF */
        if ($_SERVER["SCRIPT_NAME"] != $_SERVER["PHP_SELF"]) {
                echo "\nInvalid PHP_SELF Path \n";
                exit;
        }