cacti web frontend fails with 'Invalid PHP_SELF Path' after upgrade

The attached patch was extracted from the forum. It should be verified if it's safe, though.

I can confirm this, on AMD64, upgrading from 0.8.6j-1.1ubuntu0.1 to 0.8.6j-1.1ubuntu0.2 breaks cacti. When I downgrade, it works again.

ok, i will work on this. Thanks.

I confirm a problem when upgrade cacti 0.8.6h-1ubuntu3.1 -> 0.8.6h-1ubuntu3.2 on ubuntu dapper 6.06. The solution is to apply the patch above.

i can confirm this as well on the latest upgrade of cacti from the update manager on ubuntu 7.10. The patch can fix the issue

sudo pico /usr/share/cacti/site/include/config.php

replace what is under

/* Sanity Check on "Corrupt" PHP_SELF */

with

if ((!is_file($_SERVER["PHP_SELF"])) && (!is_file($config["base_path"] . '/' . $_SERVER["PHP_SELF"]))) {
if (!is_file($_SERVER["DOCUMENT_ROOT"] . $_SERVER["PHP_SELF"])) {
if (!((is_file($_SERVER["SCRIPT_FILENAME"])) && (substr_count($_SERVER["SCRIPT_FILENAME"], $_SERVER["PHP_SELF"])))) {
if (!((is_file($_SERVER["SCRIPT_FILENAME"])))) {
echo "\nInvalid PHP_SELF Path\n";
exit;
}

Frits Letteboer, thanks a lot

Confirmed error when upgrade from 0.8.6j-1.1ubuntu0.1 to 0.8.6j-1.1ubuntu0.2 update

When I apply the patch above it seems to stuck with this message when I enter my http://webpage.com/cacti

"Error

You have created a new database, but have not yet imported the 'cacti.sql' file. At the command line, execute the following to continue:

mysql -u cacti -p cacti < cacti.sql

This error may also be generated if the cacti database user does not have correct permissions on the cacti database. Please ensure that the cacti database user has the ability to SELECT, INSERT, DELETE, UPDATE, CREATE, ALTER, DROP, INDEX on the cacti database."

I'm using the root user, as this is on a local network.... but still it's not working...

Any ideas?

-- Stian

I ran into the same problem as well since I'm using the /cacti alias in Apache.

Instead of ripping out the security fix that the line in question provides, I made this patch.

compudaze patch fixed the Invalid PHP_SELF problem on my Ubuntu Server x86-64 install

Thanks :)

Ran in to the same issue, used the patch provided by compudaze.
+worksforme

The issue does also exist in a new install, I had to change the same rule in global.php in place of config.php, who is quite empty with a new install. But changing the same code as in compudaze 's patch in global.php does also solve the problem.

Also happens with fresh install of cacti, version 0.8.6j-1.1ubuntu0.2. Fixed with compudazes patch.

fixed in Hardy.

MOTU-SRU subscribed.

It's a Security Regression, ubuntu-security subscribed.
plese remove motu-SRU.

The main part works if don't run it from /<dir> but from / . According to Stephan Herman attach debdiff and re-subscribe MOTU-SRU.

1) Install/upgrade gosa
2) Open browser to http://localhost/cacti/
3) See Fatal Error [1]
4) It's possible solve the problem manually with patch [2] and debdiff [3]
5) working fine [4]

[1] Invalid PHP_SELF Path
[2] http://launchpadlibrarian.net/12511474/config.php.patch
[3] http://launchpadlibrarian.net/12992491/gutsy_proposed_0.8.6j-1.1ubuntu1.2.debdiff
[4] http://thc.emanuele-gentili.com/cacti/

s/gosa/cacti/

This isn't an SRU, as it was a security regression.

@William,

na security was correct...the problem is, that it now only runs with a path as / and not with paths as /<foobar>/

I mean, I don't care if it goes to -security or if we just push it to -updates

Stephan Hermann wrote:
> @William,
>
> na security was correct...the problem is, that it now only runs with a
> path as / and not with paths as /<foobar>/
>
> I mean, I don't care if it goes to -security or if we just push it to
> -updates

The security fix was not correct - it caused a regression. That deserves
to go into -security, particularly as people with -security enabled
won't necessarily have -updates enabled.

--
William Grant

There are people that run with -security and not -updates. Follow-ups to a
security fix really should go in -security.

Feisty needs this too. While I haven't tested it, I can assume Edgy and Dapper need it too.

Edgy and Dapper also broken.

For Dapper - Feisty, see README.Debian.gz for how to setup the database. Dapper also needs this added to /etc/apache2/conf.d/cacti.conf:
Alias /cacti /usr/share/cacti/site

<DirectoryMatch /usr/share/cacti/site>
        Options +FollowSymLinks
        AllowOverride None
        order allow,deny
        allow from all
        <IfModule mod_php4.c>
                AddType application/x-httpd-php .php

                php_flag magic_quotes_gpc Off
                php_flag short_open_tag On
                php_flag register_globals Off
                php_flag register_argc_argv On
                php_flag track_vars On
                # this setting is necessary for some locales
                php_value mbstring.func_overload 0
                php_value include_path .

                DirectoryIndex index.php
        </IfModule>
</DirectoryMatch>

Also, reading the changelog, it isn't a FTBFS (Fail To Build From Source).

This bug was fixed in the package cacti - 0.8.6j-1.1ubuntu0.3

---------------
cacti (0.8.6j-1.1ubuntu0.3) gutsy-security; urgency=low

  * Cacti frontend fails with 'Invalid PHP_SELF Path' (LP: #194687)
   + debian/patches/11_php_self_nonstandard_dir.dpatch

 -- Emanuele Gentili <email address hidden> Mon, 31 Mar 2008 00:03:37 +0200

This bug was fixed in the package cacti - 0.8.6i-3ubuntu0.3

---------------
cacti (0.8.6i-3ubuntu0.3) feisty-security; urgency=low

  * debian/patches/11_CVE-2008-0783_CVE-2008-0784_regression.dpatch: fix
    'Invalid PHP_SELF Path' regression (LP: #194687)

 -- Jamie Strandboge <email address hidden> Sat, 05 Apr 2008 08:21:27 -0400

Excuse my nooboisty, but what command line parameters should i use for compudaze's patch?

patch -??? config.php.patch

And in which directory? cacti? include?