Re: Decurity concern: cachemgr & GET method ?

From: Henrik Nordstrom <[email protected]>
Date: Mon, 11 Jan 1999 23:53:26 +0100

Alex Rousskov wrote:

> Right. Unfortunately, there is probably no clean way for the cache
> manager CGI to forward HTTP authentication to Squid without doing
> the authentication on the http server. Thus, we are stuck with GET-
> or POST-based authentication. :(

POST based authentication is not that bad (not much worse than basic
authentication anyway), it is only a bit inconvenient. A more convenient
method could be to use session cookies but that to has some security
implications as the cookie may be stored in the browsers cookies file or
disk cache.

If you don't trust your network connection from the browser to the http
server where cachemgr.cgi runs then you can easily secure this by using
https. This is aside from the security bugs present in most versions of
Netscape that may leave private POST information in /tmp.. Fortunately
this browser bug is only when you do a file upload, so it is not a
problem for cachemgr.cgi calls.

If you don't trust your network connection from cachemgr.cgi to Squid,
then you can easily move cachemgr.cgi to the same box as Squid by
installing a small HTTP server for cachemgr.cgi.

If you don't trust the security of your Squid box then you are in deep
shit anyhow, and trying to secure cachemgr.cgi won't help you much
(doubtful if it will help any at all).

A note to the original question regarding browser history. You should
never enter sensitive information (such as login information) on a
computer that you do not trust. Browser history is only one of many ways
to find sensitive information from the previous (or current) user.

> I was talking about the _Squid_ side.

I understood that, but as I understood it the questiong was about
cachemgr.cgi and HTTP server logging, not Squid.

At the Squid side GET is not a security problem. No sensitive
information is in the cache_object URL, and Squid by default does not
log query parameters (but as I said, no security sensitive information
is there in the first place).

> Or just
> client mgr:

Didn't know about that. A nice one ;-)

---
Henrik Nordstrom
Spare time Squid Hacker
Received on Mon Jan 11 1999 - 16:08:29 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:58 MST