Cacti (home)ForumsDocumentation
Cacti: offical forums and support
It is currently Thu Jun 20, 2019 2:48 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject:
PostPosted: Thu Nov 29, 2001 8:21 pm 
Offline

Joined: Wed Nov 28, 2001 7:00 pm
Posts: 20
using cacti 0.6 the auth scheme is broken in the default install.

seems that there needs to be an entry for an allowed host or something?

I get denied access on the first login php logs
[29-Nov-2001 19:35:40] PHP Warning: Supplied argument is not a valid MySQL result resource in /www/htdocs/server/cacti/auth/include/login.php on line 20

mysql logs the expected search with sql connect, and the select admin / admin

Suggestions?


Top
 Profile  
 
 Post subject:
PostPosted: Thu Nov 29, 2001 8:58 pm 
Offline
Lead Developer

Joined: Sat Oct 13, 2001 7:00 pm
Posts: 2237
Location: Carlisle, PA
The first thing to try is redownload cacti:
http://www.raxnet.net/downloads/cacti-0.6.tar.gz

I made some changes to the origional SQL scripts since it was first released. Then run:

mysqladmin -u root -p drop cacti
mysqladmin -u root -p create cacti
mysql -u root -p cacti < SQL

By default the authentication code works fine. You may also want to check the following though:

in include/config.php make sure:
- You have a valid database/database user and password specified
- Make sure the "$path_webroot" is filled in with you apache web root (like /var/www/html)
- Make sure the "$path_webrrd" contains cacti's path within the webroot (like /cacti)

If you do not see the cacti picture on the login screen, your paths are not correct.

Once you login with admin/admin you will be asked to retype a new password.

Ian


Top
 Profile  
 
 Post subject:
PostPosted: Thu Nov 29, 2001 11:18 pm 
Offline

Joined: Wed Nov 28, 2001 7:00 pm
Posts: 20
Hi Ian,

this is the mysql log from login
323305 Query select * from auth_users where username="admin" and password = encrypt("admin",MD5("admin"))
323305 Query insert into auth_log (username,success,attemptedpass,ip) values("admin",0,"admin","208.33.80.102")

this is the query done manually and the resul
mysql> select * from auth_users where username="admin" and password = encrypt("admin",MD5("admin"));
ERROR 1064: You have an error in your SQL syntax near '("admin"))' at line 1

mysql version 3.22.32 (linux)
apache 1.3.14
php 4.0.3pl1 (older I know, however I have requirements... for 4.0.3pl1)


Top
 Profile  
 
 Post subject:
PostPosted: Fri Nov 30, 2001 9:15 am 
Offline

Joined: Wed Nov 28, 2001 7:00 pm
Posts: 20
There is something busted in my encrypt() functions as they are used in the login.php and changepassword.php.

I removed the encrypt() from the query lines, updated the passwords to plain text and login/password changes are effective.

I'll use the mysql password functions to store encrypted passwords, although they fly around the internet in the web forms as plain text...

Thanks for a great tool!


Top
 Profile  
 
 Post subject:
PostPosted: Fri Nov 30, 2001 9:39 am 
Offline
Lead Developer

Joined: Sat Oct 13, 2001 7:00 pm
Posts: 2237
Location: Carlisle, PA
I'll have to look into that bug. I am using MySQL 3.23.36 and the SQL string:

select * from auth_users where username="admin" and password = encrypt("admin",MD5("admin"));

Seems to work ok for me. When I get home tonight I will see about an alternative to the 'encrypt' function. If you know of anything better for this situation feel free to suggest something.


Top
 Profile  
 
 Post subject:
PostPosted: Fri Nov 30, 2001 11:12 am 
Offline

Joined: Wed Nov 28, 2001 7:00 pm
Posts: 20
Let mysql encrypt it with the password() function?

line 25 of changepassword.php
mysql_query("update auth_users set mustchangepassword='',password=PASSWORD('$password') where id='$userid'");

line 19 0f login.php
$res_id_user = mysql_query("select * from auth_users where username='$username' and password=PASSWORD('$password')");


Top
 Profile  
 
 Post subject:
PostPosted: Fri Nov 30, 2001 2:24 pm 
Offline
Lead Developer

Joined: Sat Oct 13, 2001 7:00 pm
Posts: 2237
Location: Carlisle, PA
Your right, the PASSWORD function seems much more appropriate for this situation. I am hoping to add of these changes and get a small release out tonight if time permits.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Dec 01, 2001 10:40 am 
Offline

Joined: Wed Nov 28, 2001 7:00 pm
Posts: 20
mysql-3.23.40 cured all my problems... so far.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Dec 01, 2001 11:19 am 
Offline
Lead Developer

Joined: Sat Oct 13, 2001 7:00 pm
Posts: 2237
Location: Carlisle, PA
Excellent, I probably should start using the PASSWORD() function however since it seems to be more compatible. The only issue is, when users upgrade to version 0.6.1, they will have to change their passwords. No big deal I guess.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: Bing [Bot], Google Adsense [Bot] and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group