Decurity concern: cachemgr & GET method ?

From: Juergen Kuersch <[email protected]>
Date: Mon, 11 Jan 1999 09:15:01 +0100

-----BEGIN PGP SIGNED MESSAGE-----

Hi out there,

I hope this was not on this list before, however, I could not find a hint
in the archives.

Cachemgr obviously uses http's GET method to send the manager's name and
the password to the cache. This implies that

1.) the password is (encrypted) part of the URL sent to squid, and as such
    is stored in the browser's history file. A typical request sent to squid
    looks like

    http://fox/cgi-bin/cachemgr.cgi?host=bridge&port=3128&user_name=foo&
    operation=info&auth=YpJpZGdlgDkxNjA0MDLzN3xrjWV8cGk0dGVt

2.) the password is part of the URL sent to the server running the cachemgr.cgi
    program (a typical request for the Cache Manager menu looks like
    http://fox/cgi/cachemgr.cgi?host=bridge&port=3128&user_name=foo&passwd=bar),
    meaning it becomes part of the browser's history *and* part of the
    web server's access.log WITHOUT ANY ENCRYPTION.

Especially if you invoke the cache manager CGI on web browsers under insecure
operating systems, i.e. OSs without user-based access control, at least any
user with access to the client might look at your history and, consequently,
could access the cache manager information, as well as shutdown the proxy.

Wouldn't it improve security if the cache manager functionality was completely
based on http's POST method (not to mention SSL, of course), in order to keep
it from being added to history and access.log files ?

Are there possibly any patches addressing this somewhere ?

GRTX
        Juergen Kuersch

- --
- ----------------------------------------------------------------------
  Juergen Kuersch, mailto:kue@eecs.rwth-aachen.de
  Electrical Engineering and Computer Systems, RWTH Aachen, Germany
     PGP public key (0x830E1B55) available at public key servers

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBNpmiaJwNkh2DDhtVAQFigAP8CK5TXtPFinLJje8ZVlVawEJEkxSnWN8T
Vj+rngWyriiIxVXbAp3xxEfJf/eALcnmaCugdoRxuDpyNcPTUmzoVujtFCbi32Uf
KSulKRwsQBD55rMP0taO8p4v6yBYmcTdAiwlZicD0BFUJG/JbG7sz15cZtcYa/YK
4+tATrJE/2g=
=Zgc4
-----END PGP SIGNATURE-----
Received on Mon Jan 11 1999 - 01:12:59 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:57 MST