The following change, courtesy of the Ubuntu cacti-0.8.6i package,
fixes the problem:
/usr/share/cacti/include/config.php, line 86:
change:
if (!((is_file($_SERVER["SCRIPT_FILENAME"])) && (substr_count($_SERVER
["SCRIPT_FILENAME"], $_SERVER["PHP_SELF"])))) {
to:
if (!((is_file($_SERVER["SCRIPT_FILENAME"])) && (substr_count($_SERVER
["SCRIPT_FILENAME"], basename($_SERVER["PHP_SELF"]))))) {
Just make sure that if you "fix" the problem (again), that the fix is in
the spirit of the actual Cacti security advisory.
Currently, I am having a hard time seeing why exactly all these checks
are done. Maybe someone could elaborate? I only read something about XSS
and SQL injection. Why do these fixes prevent that?
Apparently, they have all not been written for the scenario where Cacti
is used via Aliases in Apache.
So instead of just doing something that makes the error disappear (and
potentially again creating security holes) please, someone who has the
insight, take a look.
Thanks for listening.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
