Package: cacti
Version: 0.8.7g-1+squeeze1
Severity: normal
Please consider to check non only REMOTE_USER, PHP_AUTH_USER and
REDIRECT_REMOTE_USER, but also HTTP_* variants.
Behind a reverse-proxy Debian GNU/Linux with apache2 squeeze (see configuration
just below), authentication information are stored
in HTTP_REMOTE_USER, not in REMOTE_USER.
Location /cacti
... Some auth directives
RewriteEngineon
RewriteCond %{LA-U:REMOTE_USER}(.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER %{RU}e
ProxyPass http://#HOST#/cacti
ProxyPassReverse http://#HOST#/cacti
/Location
Here is a patch, if you decide to insert these checks.
-- System Information:
Debian Release: 6.0.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-xen-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages cacti depends on:
ii apache22.2.16-6+squeeze6 Apache HTTP Server metapackage
ii apache2-mpm-prefork [h 2.2.16-6+squeeze6 Apache HTTP Server - traditional n
ii dbconfig-common1.8.46+squeeze.0 common framework for packaging dat
ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy
ii libapache2-mod-php55.3.3-7+squeeze8 server-side, HTML-embedded scripti
ii libphp-adodb 5.10-1The ADOdb database abstraction lay
ii mysql-client-5.1 [virt 5.1.49-3 MySQL database client binaries
ii php5 5.3.3-7+squeeze8 server-side, HTML-embedded scripti
ii php5-cli 5.3.3-7+squeeze8 command-line interpreter for the p
ii php5-mysql 5.3.3-7+squeeze8 MySQL module for php5
ii php5-snmp 5.3.3-7+squeeze8 SNMP module for php5
ii rrdtool1.4.3-1 time-series data storage and displ
ii snmp 5.4.3~dfsg-2 SNMP (Simple Network Management Pr
ii ucf3.0025+nmu1 Update Configuration File: preserv
Versions of packages cacti recommends:
ii iputils-ping3:20100418-3 Tools to test the reachability of
ii logrotate 3.7.8-6 Log rotation utility
ii mysql-server5.1.49-3 MySQL database server (metapackage
ii mysql-server-5.1 [mysql-ser 5.1.49-3 MySQL database server binaries and
Versions of packages cacti suggests:
pn php5-ldap none (no description available)
-- debconf information excluded
--- auth_login.php 2012-02-22 12:37:45.0 +0100
+++ auth_login.ORIG.php 2012-01-08 19:44:12.0 +0100
@@ -39,12 +39,6 @@
$username = str_replace(\\, , $_SERVER[REMOTE_USER]);
}elseif (isset($_SERVER[REDIRECT_REMOTE_USER])) {
$username = str_replace(\\, , $_SERVER[REDIRECT_REMOTE_USER]);
- }elseif (isset($_SERVER[HTTP_PHP_AUTH_USER])) {
- $username = str_replace(\\, , $_SERVER[HTTP_PHP_AUTH_USER]);
- }elseif (isset($_SERVER[HTTP_REMOTE_USER])) {
- $username = str_replace(\\, , $_SERVER[HTTP_REMOTE_USER]);
- }elseif (isset($_SERVER[HTTP_REDIRECT_REMOTE_USER])) {
- $username = str_replace(\\, , $_SERVER[HTTP_REDIRECT_REMOTE_USER]);
}else{
/* No user - Bad juju! */
$username = ;