Upgrade from 0.8.7a to 0.8.7b: 'Invalid PHP_SELF Path'

Post support questions that directly relate to Linux/Unix operating systems.

Moderators: Developers, Moderators

sllywhtboy
Posts: 42
Joined: Sun Jul 09, 2006 1:51 am
Location: detroit'ish
Contact:

Post by sllywhtboy »

wasca's fix worked for me. thanks!
william
Posts: 18
Joined: Mon Jun 06, 2005 5:38 am

Post by william »

guys I'm running on FreeBsd, new install of cacti 7b all went fine. But when I try to browse to it I get the PHP SELF error. What can I do to fix?
User avatar
fmangeant
Cacti Guru User
Posts: 2345
Joined: Fri Sep 19, 2003 8:36 am
Location: Sophia-Antipolis, France
Contact:

Post by fmangeant »

Hi

please see megaman's post on 1st page.
[size=84]
[color=green]HOWTOs[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15353]Install and configure the Net-SNMP agent for Unix[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=26151]Install and configure the Net-SNMP agent for Windows[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=28175]Graph multiple servers using an SNMP proxy[/url][/list]
[color=green]Templates[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15412]Multiple CPU usage for Linux[/url]
[*][url=http://forums.cacti.net/viewtopic.php?p=125152]Memory & swap usage for Unix[/url][/list][/size]
william
Posts: 18
Joined: Mon Jun 06, 2005 5:38 am

Post by william »

Thank you that did the trick!
Ajunne
Posts: 2
Joined: Tue Nov 21, 2006 2:14 pm

Post by Ajunne »

I have the same issue. I installed the Ubuntu package of Cacti and since the latest package upgrade, I get the 'Invalid PHP_SELF' error.

As stated above in this thread, the error is most likely due to the fact that some distributions place the PHP code in a special directory, and use an Apache alias /cacti to map the entry URL to the location of the code (which is not in your Apache document root).

The easiest way to fix this, without having to fiddle with the PHP code, is to make a symlink.

First, locate your apache config that came with your Cacti installation package. If you did it by hand, then you most likely know where it is. Otherwise, /etc/cacti is usually a safe bet.

My installation of Ubuntu puts it in /etc/cacti/apache.conf

Open the file with an editor, and see if there is a Alias directive. Ubuntu uses the following:

Code: Select all

Alias /cacti /usr/share/cacti/site
Comment this out by putting a hash in front of the line:

Code: Select all

#Alias /cacti /usr/share/cacti/site
Now go to your Apache document root. On Ubuntu, this is /var/www. Once there, create a symlink to the Cacti installation directory (you might have to be root to do this):

Code: Select all

$ cd /var/www
$ ln -s /usr/share/cacti/site cacti
Now, reload your Apache config. Ubuntu uses the following command (this needs to be done as root):

Code: Select all

$ /etc/init.d/apache2 reload
Browse to http://your-server/cacti . Fixed.
blihtar
Posts: 1
Joined: Fri Feb 23, 2007 7:40 am

downgrade will help to solve problem

Post by blihtar »

procedure on ubuntu:

1. check version now and before
"apt-cache policy cacti"

2.you will get something like that ( screen after downgrade)
"cacti:
Installed: 0.8.6j-1.1
Candidate: 0.8.6j-1.1ubuntu0.2
Version table:
0.8.6j-1.1ubuntu0.2 0
500 http://security.ubuntu.com gutsy-security/universe Packages
*** 0.8.6j-1.1 0
500 http://us.archive.ubuntu.com gutsy/universe Packages
100 /var/lib/dpkg/status
"

3.then downgrade picking lower version like
"apt-get install cacti=0.8.6j-1.1"
falconz
Posts: 2
Joined: Thu Oct 04, 2007 6:04 pm

Post by falconz »

This worked for me

Code: Select all

root@monitor:~# apt-cache policy cacti
cacti:
  Installed: 0.8.6i-3ubuntu0.2
  Candidate: 0.8.6i-3ubuntu0.2
  Version table:
 *** 0.8.6i-3ubuntu0.2 0
        500 http://security.ubuntu.com feisty-security/universe Packages
        100 /var/lib/dpkg/status
     0.8.6i-3 0
        500 http://nz.archive.ubuntu.com feisty/universe Packages
root@monitor:~# apt-get install cacti=0.8.6i-3
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be DOWNGRADED:
  cacti
0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.
Need to get 955kB of archives.
After unpacking 0B of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://nz.archive.ubuntu.com feisty/universe cacti 0.8.6i-3 [955kB]
Fetched 955kB in 1s (884kB/s)
Preconfiguring packages ...
dpkg - warning: downgrading cacti from 0.8.6i-3ubuntu0.2 to 0.8.6i-3.
(Reading database ... 94050 files and directories currently installed.)
Preparing to replace cacti 0.8.6i-3ubuntu0.2 (using .../cacti_0.8.6i-3_all.deb) ...
Unpacking replacement cacti ...
Setting up cacti (0.8.6i-3) ...
dbconfig-common: writing config to /etc/dbconfig-common/cacti.conf
Replacing config file /etc/cacti/debian.php with new version
dbconfig-common: flushing administrative password
 * Reloading web server config...                                               24325
                                                                         [ OK ]


I think ill wait a while before i try to upgrade cacti again.
st0kes
Posts: 17
Joined: Mon Oct 08, 2007 5:12 am

Post by st0kes »

One more person here with this problem.

Upgraded the Cacti package using apt (Ubuntu Gusty) and the error appeared.

Thank you very much Ajunne for the fix - that did the trick.
savar
Posts: 1
Joined: Mon Jun 23, 2008 5:46 am

Post by savar »

Hi,

i've the same problem on debian.

installed 0.8.6i-3.2 via apt-get

and upgraded to 0.8.7b

tried all your hints here but i'll get the error

Code: Select all

Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 121

Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 122

Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 123

Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 124

Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 125

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 129

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/include/global.php on line 129

Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/config.php:39) in /usr/share/cacti/site/auth_login.php on line 201
and i can't log in.

Can anyone help?

thanks
Priceadmin
Posts: 5
Joined: Tue Aug 12, 2008 5:14 am

Post by Priceadmin »

Hi

I followed all this topic but i have the same problem before install.

when i modified global.php file, i have a blank page.

Without change in global, i have "Invalid PHP_SELF Path".

With symbolic link, i have : The requested URL /cacti/index.php was not found on this server.

i cannot access to setup page.

I'm on RHEL 5 64 bits with cacti 0.8.7B

thanks
Priceadmin
Posts: 5
Joined: Tue Aug 12, 2008 5:14 am

Post by Priceadmin »

i applied all patchs which are here : http://www.cacti.net/download_patches.php
Priceadmin
Posts: 5
Joined: Tue Aug 12, 2008 5:14 am

Post by Priceadmin »

Hi,

i downgrade to 0.8.7a and it works.
User avatar
jmb
Posts: 17
Joined: Tue Jul 29, 2008 2:32 pm

Post by jmb »

Another situation where the PHP_SELF test fails:

Code: Select all

    [DOCUMENT_ROOT] => /usr/local/cacti/
    [SCRIPT_FILENAME] => /home/jmb/public_html/cacti/cacti-0.8.7b/graph_view.php
    [PHP_SELF] => /~jmb/cacti/cacti-0.8.7b/graph_view.php
(sorted by megaman's workaround)

I've not seen any comment (here, svn or bugzilla) on what security issues this block is supposed to fix - is there an explanation somewhere? The tests look to be conflating the filesystem path with the URL path, without taking into account likely differences like aliasing.
User avatar
oxo-oxo
Cacti User
Posts: 126
Joined: Thu Aug 30, 2007 11:35 am
Location: Silkeborg, Denmark
Contact:

Post by oxo-oxo »

I caught this as well, I am using openSuSE and using alias , using svn code for Version 0.8.7c
I hit this problem on my newly installed portable, openSuSe, and need alias's to allow me access to released and beta code (I alias into the full SVN),

Referance:
"XSS protection etc"
- http://www.ush.it/team/ush/hack-cacti087a/cacti.txt

http://www.phpbbdoctor.com/blog/2007/01 ... -php_self/

Code: Select all

owen@linux-8sua:/> cat /home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php
<?php
echo "\n<pre>\n";
echo __FILE__ ." __FILE__\n";
echo $_SERVER['SCRIPT_NAME'] . " SCRIPT_NAME\n";
echo $_SERVER['SCRIPT_FILENAME'] . " SCRIPT_FILENAME\n";
echo $_SERVER['PHP_SELF'] . " PHP_SELF\n";
echo "\n</pre>\n";
?>
owen@linux-8sua:/> php5 /home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php

<pre>
/home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php __FILE__
/home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php SCRIPT_NAME
/home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php SCRIPT_FILENAME
/home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php PHP_SELF

</pre>
From browser:

Code: Select all

/home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php __FILE__
/cactibeta/test.php SCRIPT_NAME
/home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/test.php SCRIPT_FILENAME
/cactibeta/test.php PHP_SELF
From my own alias problem
NB
__FILE__ refers to global.php
[SCRIPT_FILENAME] refers to index.php

Here, I have an alias called beta that points to a Cacti branch of svn
- PHP_SELF will fail with the global.php code check

Code: Select all

    [SCRIPT_FILENAME] => /home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/index.php
    [SCRIPT_NAME] => /beta/index.php 
    [PHP_SELF] => /beta/index.php 

Code: Select all

__FILE__ is /home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/include/global.php
Array
(
    [HTTP_HOST] => 127.0.0.1
    [HTTP_USER_AGENT] => Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.0.3) Gecko/2008091700 SUSE/3.0.3-1.1 Firefox/3.0.3
    [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    [HTTP_ACCEPT_LANGUAGE] => en-gb,en;q=0.5
    [HTTP_ACCEPT_ENCODING] => gzip,deflate
    [HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7
    [HTTP_KEEP_ALIVE] => 300
    [HTTP_CONNECTION] => keep-alive
    [HTTP_COOKIE] => highlightedTreeviewLinkt2=3; clickedFoldert2=1%5E2%5E3%5E; clickedFolder=; fs=Graph_Management@@o!User_Login_History@@o!Log_File_Filters@@o!Devices@@o!Associated_Data_Queries@@o!Associated_Graph_Templates@@o!Localhost127_0_0_1@@o!Data_Sources@@o; navbar_id=console; menu=!utilities@@o!configuration@@o!importexport@@o!presets@@o!templates@@o!data_collection@@o!management@@o!create@@o; Cacti=1vmkk0c5skk8ilbj624s1nahhorvavvv
    [HTTP_CACHE_CONTROL] => max-age=0
    [PATH] => /usr/sbin:/bin:/usr/bin:/sbin
    [SERVER_SIGNATURE] => 
Apache/2.2.8 (Linux/SUSE) Server at 127.0.0.1 Port 80


    [SERVER_SOFTWARE] => Apache/2.2.8 (Linux/SUSE)
    [SERVER_NAME] => 127.0.0.1
    [SERVER_ADDR] => 127.0.0.1
    [SERVER_PORT] => 80
    [REMOTE_ADDR] => 127.0.0.1
    [DOCUMENT_ROOT] => /srv/www/htdocs
    [SERVER_ADMIN] => yyy@localhost
    [SCRIPT_FILENAME] => /home/owen/Documents/cacti/cacti/cacti/branches/0.8.7/index.php
    [REMOTE_PORT] => 41698
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_PROTOCOL] => HTTP/1.1
    [REQUEST_METHOD] => GET
    [QUERY_STRING] => 
    [REQUEST_URI] => /beta/
    [SCRIPT_NAME] => /beta/index.php
    [PHP_SELF] => /beta/index.php
    [REQUEST_TIME] => 1223982371
)

Invalid PHP_SELF Path 
Last edited by oxo-oxo on Fri Oct 17, 2008 2:46 pm, edited 6 times in total.
Owen Brotherwood, JN Data A/S, Denmark.
User avatar
oxo-oxo
Cacti User
Posts: 126
Joined: Thu Aug 30, 2007 11:35 am
Location: Silkeborg, Denmark
Contact:

The sanity check

Post by oxo-oxo »

Using http://www.phpbbdoctor.com/blog/2007/01 ... -php_self/ as a referance as to why not to use PHP_SELF, all the code is probably not relevant as long as PHP_SELF code is not used elsewhere

Unfortunatly, PHP_SELF is used a lot in the code: so open to misuse of PHP_SELF.
- so PHP_SELF needs to be checked so the code can use it without being changed.

Code: Select all

        /* Sanity Check on "Corrupt" PHP_SELF */
        if ($_SERVER["SCRIPT_NAME"] != $_SERVER["PHP_SELF"]) {
                echo "\nInvalid PHP_SELF Path \n";
                exit;
        }
Last edited by oxo-oxo on Wed Oct 15, 2008 6:50 pm, edited 1 time in total.
Owen Brotherwood, JN Data A/S, Denmark.
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest