Bugtraq mailing list archives
Re: Redhat 6.0 cachemgr.cgi lameness
From: hno () HEM PASSAGEN SE (Henrik Nordstrom)
Date: Sun, 25 Jul 1999 12:08:57 +0200
cachemgr.cgi is the manager interface to Squid web proxy/cache server. As all manager interface tools access to it SHOULD have restricted access by default, not open for public access. If you are not using the box as a Squid www proxy/cache server then uninstall the package by executing "/etc/rc.d/init.d/squid stop ; rpm -e squid". If you are indeed using the Squid proxy server software, then make the following actions to at least minimally secure access the manager interface: mkdir /home/httpd/protected-cgi-bin mv /home/httpd/cgi-bin/cachemgr.cgi /home/httpd/protected-cgi-bin/ and add the following directives to /etc/httpd/conf/access.conf and srm.conf --- start access.conf segment --- # Protected cgi-bin directory for programs that # should not have public access <Directory /home/httpd/protected-cgi-bin> order deny,allow deny from all allow from localhost #allow from .your_domain.com AllowOverride None Options ExecCGI </Directory> --- end access.conf segment --- --- start srm.conf segment --- ScriptAlias /protected-cgi-bin/ /home/httpd/protected-cgi-bin/ --- end srm.conf segment --- Then execute "/etc/rc.d/init.d/httpd restart" to reconfigure your Apache HTTP server to allow localhost access to http://localhost/protected-cgi-bin/cachemgr.cgi. Change the allow rules accordingly if you have other stations that need access to the protected-cgi-bin directory. You are also recommended to move any other cgi-bin programs not inteded for public access from /home/httpd/cgi-bin to /home/httpd/protected-cgi-bin, if you have any. Disclaimer: Squid does not install cachemgr.cgi in a HTTP accessible directory by default. It is the administrators responsibility (or in this case the RedHat package maintainer) to set up proper HTTP access to it. -- Henrik Nordstrom Squid developer & RedHat user daniel () NEWS GUS NET wrote:
Hi... After installing Redhat 6.0, I looked around a bit and I noticed something interesting: In /home/httpd/cgi-bin there is a CGI program called cachemgr.cgi, and it can be accessed by remote users by default.
Current thread:
- Trojan Horse Guard - Cassandra GOLD Release., (continued)
- Trojan Horse Guard - Cassandra GOLD Release. Jonathan James (Jul 23)
- Troff dangerous. Pawel Wilk (Jul 23)
- New way to pay in advance for ToorCon '99 in San Diego, California Ben (Jul 24)
- Re: Troff dangerous. CyberPsychotic (Jul 25)
- Re: Troff dangerous. Pavel Kankovsky (Jul 25)
- Re: Troff dangerous. Warner Losh (Jul 27)
- Re: Troff dangerous. Julian Squires (Aug 02)
- Re: Troff dangerous. Olaf Kirch (Jul 26)
- IBM-ERS Security Vulnerability Alert: IBM AIX: Non-root users can cause the system to crash ibm-ers () ERS IBM COM (Jul 26)
- Redhat 6.0 cachemgr.cgi lameness daniel () NEWS GUS NET (Jul 23)
- Re: Redhat 6.0 cachemgr.cgi lameness Henrik Nordstrom (Jul 25)