Bugtraq mailing list archives
Redhat 6.0 cachemgr.cgi lameness
From: daniel () NEWS GUS NET (daniel () NEWS GUS NET)
Date: Fri, 23 Jul 1999 16:36:32 -0700
Hi... After installing Redhat 6.0, I looked around a bit and I noticed something interesting: In /home/httpd/cgi-bin there is a CGI program called cachemgr.cgi, and it can be accessed by remote users by default. So I went to look at it, and I noticed that what it does is it lets any user connect to any hostname/port he/she chooses via the interface it provides.. and then see the connection results - if the connection was not successful it prints out the full connect() error; otherwise it just stays frozen, waiting for HTTP data, or httpd might give you an "Internal Server Error" - Both of those mean that a connection has been established. This is what it looks like from lynx: Cache Manager Interface This is a WWW interface to the instrumentation interface for the Squid object cache. _________________________________________________________________ Cache Host: localhost_____________________ Cache Port: 3128__________________________ Manager name: ______________________________ Password: ______________________________ Continue... This is, obviously, not good, because this CGI program can be used as a powerful portscanning or a denial of service tool. I suggest that Redhat 6.0 users check to see if they have it, and then disable it if they do. - Daniel (daniel () news gus net)
Current thread:
- L0pht Heavy Industries - AntiSniff, (continued)
- L0pht Heavy Industries - AntiSniff Alex Yu (Jul 23)
- Trojan Horse Guard - Cassandra GOLD Release. Jonathan James (Jul 23)
- Troff dangerous. Pawel Wilk (Jul 23)
- New way to pay in advance for ToorCon '99 in San Diego, California Ben (Jul 24)
- Re: Troff dangerous. CyberPsychotic (Jul 25)
- Re: Troff dangerous. Pavel Kankovsky (Jul 25)
- Re: Troff dangerous. Warner Losh (Jul 27)
- Re: Troff dangerous. Julian Squires (Aug 02)
- Re: Troff dangerous. Olaf Kirch (Jul 26)
- IBM-ERS Security Vulnerability Alert: IBM AIX: Non-root users can cause the system to crash ibm-ers () ERS IBM COM (Jul 26)
- Redhat 6.0 cachemgr.cgi lameness daniel () NEWS GUS NET (Jul 23)
- Re: Redhat 6.0 cachemgr.cgi lameness Henrik Nordstrom (Jul 25)