Upgrade from 0.8.7a to 0.8.7b: 'Invalid PHP_SELF Path'

Post by **TheWitness** » Wed Feb 13, 2008 8:39 pm

I believe the megaman fix to be secure.

TheWitness

tymbow · Post by **tymbow** » Thu Feb 14, 2008 12:00 am

Make that 5 people with the problem (except I am on Windows).

faustovetter@gmail.com · Thu Feb 14, 2008 12:40 pm

Hi,

I also observed this behavior. So, to make sure it runs, I just assured that alias path on the web-browser is the same as the cacti linux sub-folder.

Clarifying what I wrote above:

E.g.:
your alias on your browser: http://localhost/cacti/index.php
your cacti home folder: /home/cactiuser/cacti/

Cacti sub-folder: /cacti
Web-browser alias: /cacti

So cacti can find all files on both structures (alias and path).

chronos · Post by **chronos** » Thu Feb 14, 2008 1:01 pm

It's a way around the bug, but doesn't solve it unfortunately. And you're also exposing yourself to potential future exploits by having a "standard" xxx/cacti form.

The FreeBSD port (and I assume Linux's "ports/rpm") install in a xxx/cacti folder and the modification of the Alias is to somewhat secure cacti from standard exploits that target xxx/cacti.

just_me · Post by **just_me** » Mon Feb 18, 2008 8:02 am

Hello!

I have the FreeBSD installation from ports:

I added some debug here:

Code: Select all

                               echo "\nInvalid PHP_SELF Path \n";
                                echo $_SERVER["PHP_SELF"] ;
                                echo " - ";
                                echo $_SERVER["DOCUMENT_ROOT"];
                                echo " - ";
                                echo $_SERVER["SCRIPT_FILENAME"];
                               exit;

This show me:
Invalid PHP_SELF Path /cacti/index.php - /usr/local/www/apache22/data - /usr/local/share/cacti/index.php

As we can see, this installed not under DOCUMENT_ROOT, but cacti checked for this.

Linuturk · Post by **Linuturk** » Fri Feb 22, 2008 10:17 am

I've got the same problem after upgrading using the Ubuntu Gutsy package, but I can't find global.php in /usr/share/cacti/site/include/

Any help?

fmangeant · Post by **fmangeant** » Fri Feb 22, 2008 10:18 am

Hi

with Debian/Ubuntu, is it under /etc/cacti ?

Linuturk · Post by **Linuturk** » Fri Feb 22, 2008 10:25 am

Nope, not there either.

I've done a $ locate global.php

and it doesn't show up . . .

GraveR · Post by **GraveR** » Sat Feb 23, 2008 6:38 am

For Ubuntu Gutsy, the file you're looking for is '/usr/share/cacti/site/include/config.php'

The fix mentioned works.

Linuturk · Post by **Linuturk** » Sat Feb 23, 2008 4:46 pm

Thank you so much. The fix is confirmed to work for me in the file mentioned above

petaramesh · Post by **petaramesh** » Sun Feb 24, 2008 3:42 am

For the record, same problem in Ubuntu Gutsy after upgrading the cacti package yesterday.

Fixed by applying Megaman's fix on /usr/share/cacti/site/include/config.php line 87.

Thanks.

thavinci · Post by **thavinci** » Sun Feb 24, 2008 5:29 pm

Wel ive got the exact same problem here....
Running on FreeBSD6.2.

megaman's fix worked for me.

sllywhtboy · Post by **sllywhtboy** » Sun Feb 24, 2008 5:36 pm

config.php tweaks in ubuntu edgy didn't work.

netmirror · Post by **netmirror** » Mon Feb 25, 2008 6:49 am

Test this solution:
https://bugs.launchpad.net/ubuntu/+sour ... bug/194687

wasca · Post by **wasca** » Mon Feb 25, 2008 11:41 pm

I can confirm that upgrading cacti to 0.8.0.6h on Ubuntu Dapper 6.06 LTS breaks cacti but this fixes it.

edit /usr/share/cacti/site/include/config.php

Look at line 86

Replace this line

Code: Select all

if (!((is_file($_SERVER["SCRIPT_FILENAME"])) && (substr_count($_SERVER["SCRIPT_FILENAME"], $_SERVER["PHP_SELF"])))) {

With this

Code: Select all

if (!((is_file($_SERVER["SCRIPT_FILENAME"])))) {

I had to run through the install process after doing this. All my data was still there.

Hope this helps.

Cacti

Upgrade from 0.8.7a to 0.8.7b: 'Invalid PHP_SELF Path'

Possible workaround without touching the code

Same problem, same fix

Same Issue Here!

Who is online