Bug#660853: cacti: External auth does not work behind a reverse proxy (HTTP_REMOTE_USER contains login, not REMOTE_USER)

Wed, 22 Feb 2012 04:03:36 -0800 

Package: cacti
Version: 0.8.7g-1+squeeze1
Severity: normal

Please consider to check non only REMOTE_USER, PHP_AUTH_USER and 
REDIRECT_REMOTE_USER, but also HTTP_* variants.
Behind a reverse-proxy Debian GNU/Linux with apache2 squeeze (see configuration 
just below), authentication information are stored
in HTTP_REMOTE_USER, not in REMOTE_USER.

<Location /cacti>
 ... Some auth directives
 RewriteEngine    on
 RewriteCond  %{LA-U:REMOTE_USER}    (.+)
 RewriteRule . - [E=RU:%1]
 RequestHeader set REMOTE_USER %{RU}e
 
 ProxyPass http://#HOST#/cacti
 ProxyPassReverse http://#HOST#/cacti
</Location> 

Here is a patch, if you decide to insert these checks.

-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-xen-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cacti depends on:
ii  apache2                2.2.16-6+squeeze6 Apache HTTP Server metapackage
ii  apache2-mpm-prefork [h 2.2.16-6+squeeze6 Apache HTTP Server - traditional n
ii  dbconfig-common        1.8.46+squeeze.0  common framework for packaging dat
ii  debconf [debconf-2.0]  1.5.36.1          Debian configuration management sy
ii  libapache2-mod-php5    5.3.3-7+squeeze8  server-side, HTML-embedded scripti
ii  libphp-adodb           5.10-1            The ADOdb database abstraction lay
ii  mysql-client-5.1 [virt 5.1.49-3          MySQL database client binaries
ii  php5                   5.3.3-7+squeeze8  server-side, HTML-embedded scripti
ii  php5-cli               5.3.3-7+squeeze8  command-line interpreter for the p
ii  php5-mysql             5.3.3-7+squeeze8  MySQL module for php5
ii  php5-snmp              5.3.3-7+squeeze8  SNMP module for php5
ii  rrdtool                1.4.3-1           time-series data storage and displ
ii  snmp                   5.4.3~dfsg-2      SNMP (Simple Network Management Pr
ii  ucf                    3.0025+nmu1       Update Configuration File: preserv

Versions of packages cacti recommends:
ii  iputils-ping                3:20100418-3 Tools to test the reachability of 
ii  logrotate                   3.7.8-6      Log rotation utility
ii  mysql-server                5.1.49-3     MySQL database server (metapackage
ii  mysql-server-5.1 [mysql-ser 5.1.49-3     MySQL database server binaries and

Versions of packages cacti suggests:
pn  php5-ldap                     <none>     (no description available)

-- debconf information excluded

--- auth_login.php	2012-02-22 12:37:45.000000000 +0100
+++ auth_login.ORIG.php	2012-01-08 19:44:12.000000000 +0100
@@ -39,12 +39,6 @@
 		$username = str_replace("\\", "\\\\", $_SERVER["REMOTE_USER"]);
 	}elseif (isset($_SERVER["REDIRECT_REMOTE_USER"])) {
 		$username = str_replace("\\", "\\\\", $_SERVER["REDIRECT_REMOTE_USER"]);
-	}elseif (isset($_SERVER["HTTP_PHP_AUTH_USER"])) {
-		$username = str_replace("\\", "\\\\", $_SERVER["HTTP_PHP_AUTH_USER"]);
-	}elseif (isset($_SERVER["HTTP_REMOTE_USER"])) {
-		$username = str_replace("\\", "\\\\", $_SERVER["HTTP_REMOTE_USER"]);
-	}elseif (isset($_SERVER["HTTP_REDIRECT_REMOTE_USER"])) {
-		$username = str_replace("\\", "\\\\", $_SERVER["HTTP_REDIRECT_REMOTE_USER"]);
 	}else{
 		/* No user - Bad juju! */
 		$username = "";

Reply via email to