Upgrade from 0.8.7a to 0.8.7b: 'Invalid PHP_SELF Path'

TheWitness · **Posted:** Wed Feb 13, 2008 8:39 pm

I believe the megaman fix to be secure.

TheWitness

tymbow · **Joined:** Sat May 14, 2005 8:00 pm **Posts:** 54

Make that 5 people with the problem (except I am on Windows).

faustovetter@gmail.com · **Joined:** Thu Feb 14, 2008 11:54 am **Posts:** 4

Hi,

I also observed this behavior. So, to make sure it runs, I just assured that alias path on the web-browser is the same as the cacti linux sub-folder.

Clarifying what I wrote above:

E.g.:
your alias on your browser: http://localhost/cacti/index.php
your cacti home folder: /home/cactiuser/cacti/

Cacti sub-folder: /cacti
Web-browser alias: /cacti

So cacti can find all files on both structures (alias and path).

chronos · **Joined:** Tue Feb 12, 2008 1:07 pm **Posts:** 5

It's a way around the bug, but doesn't solve it unfortunately. And you're also exposing yourself to potential future exploits by having a "standard" xxx/cacti form.

The FreeBSD port (and I assume Linux's "ports/rpm") install in a xxx/cacti folder and the modification of the Alias is to somewhat secure cacti from standard exploits that target xxx/cacti.

just_me · **Joined:** Thu Mar 16, 2006 4:00 am **Posts:** 1

Hello!

I have the FreeBSD installation from ports:

I added some debug here:

Code:

                               echo "\nInvalid PHP_SELF Path \n";
                                echo $_SERVER["PHP_SELF"] ;
                                echo " - ";
                                echo $_SERVER["DOCUMENT_ROOT"];
                                echo " - ";
                                echo $_SERVER["SCRIPT_FILENAME"];
                               exit;

This show me:
Invalid PHP_SELF Path /cacti/index.php - /usr/local/www/apache22/data - /usr/local/share/cacti/index.php

As we can see, this installed not under DOCUMENT_ROOT, but cacti checked for this.

Linuturk · **Posted:** Fri Feb 22, 2008 10:17 am

I've got the same problem after upgrading using the Ubuntu Gutsy package, but I can't find global.php in /usr/share/cacti/site/include/

Any help?

fmangeant · **Posted:** Fri Feb 22, 2008 10:18 am

Hi

with Debian/Ubuntu, is it under /etc/cacti ?

Linuturk · **Posted:** Fri Feb 22, 2008 10:25 am

Nope, not there either.

I've done a $ locate global.php

and it doesn't show up . . .

GraveR · **Joined:** Sat Feb 23, 2008 6:35 am **Posts:** 1

For Ubuntu Gutsy, the file you're looking for is '/usr/share/cacti/site/include/config.php'

The fix mentioned works.

Linuturk · **Posted:** Sat Feb 23, 2008 4:46 pm

Thank you so much. The fix is confirmed to work for me in the file mentioned above

petaramesh · **Joined:** Sun Feb 24, 2008 3:39 am **Posts:** 1

For the record, same problem in Ubuntu Gutsy after upgrading the cacti package yesterday.

Fixed by applying Megaman's fix on /usr/share/cacti/site/include/config.php line 87.

Thanks.

thavinci · **Posted:** Sun Feb 24, 2008 5:29 pm

Wel ive got the exact same problem here....
Running on FreeBSD6.2.

megaman's fix worked for me.

sllywhtboy · **Posted:** Sun Feb 24, 2008 5:36 pm

config.php tweaks in ubuntu edgy didn't work.

netmirror · **Joined:** Mon Feb 25, 2008 6:45 am **Posts:** 1

Test this solution:
https://bugs.launchpad.net/ubuntu/+sour ... bug/194687

wasca · **Joined:** Fri Feb 22, 2008 1:36 am **Posts:** 3

I can confirm that upgrading cacti to 0.8.0.6h on Ubuntu Dapper 6.06 LTS breaks cacti but this fixes it.

edit /usr/share/cacti/site/include/config.php

Look at line 86

Replace this line

Code:

if (!((is_file($_SERVER["SCRIPT_FILENAME"])) && (substr_count($_SERVER["SCRIPT_FILENAME"], $_SERVER["PHP_SELF"])))) {

With this

Code:

if (!((is_file($_SERVER["SCRIPT_FILENAME"])))) {

I had to run through the install process after doing this. All my data was still there.

Hope this helps.

Upgrade from 0.8.7a to 0.8.7b: 'Invalid PHP_SELF Path'

Who is online