(Fwd) Redhat 6.0 cachemgr.cgi lameness

From: Steven Sporen <[email protected]>
Date: Sun, 25 Jul 1999 08:50:15 +0200

This came up on bugtraq, for those who are interested.

------- Forwarded Message Follows -------
Date sent: Fri, 23 Jul 1999 16:36:32 -0700
Send reply to: daniel@NEWS.GUS.NET
From: daniel@NEWS.GUS.NET
Subject: Redhat 6.0 cachemgr.cgi lameness
Originally to: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM

Hi... After installing Redhat 6.0, I looked around a bit and I
noticed something interesting:
In /home/httpd/cgi-bin there is a CGI program called cachemgr.cgi,
and it can be accessed by remote users by default.
So I went to look at it, and I noticed that what it does is it
lets any user connect to any hostname/port he/she chooses via the
interface it provides.. and then see the connection results -
if the connection was not successful it prints out the full connect() error;
otherwise it just stays frozen, waiting for HTTP data, or httpd might
give you an "Internal Server Error" - Both of those mean that a connection
has been established.
This is what it looks like from lynx:

                            Cache Manager Interface

   This is a WWW interface to the instrumentation interface for the Squid
   object cache.
     _________________________________________________________________

   Cache Host: localhost_____________________
   Cache Port: 3128__________________________
   Manager name: ______________________________
   Password: ______________________________

   Continue...

This is, obviously, not good, because this CGI program can be used as a
powerful portscanning or a denial of service tool. I suggest that Redhat
6.0 users check to see if they have it, and then disable it if they do.

- Daniel (daniel@news.gus.net)

Cheers
  Steven
PGP Sig on request | www.elab.co.za
Received on Sun Jul 25 1999 - 00:29:58 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:47:32 MST