[11142] in bugtraq
Re: Redhat 6.0 cachemgr.cgi lameness
daemon@ATHENA.MIT.EDU (Kerb)
Tue Jul 27 04:11:44 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <01BED706.2BA71B60.kerb@fnusa.com>
Date: Mon, 26 Jul 1999 01:28:30 -0500
Reply-To: Kerb <kerb@FNUSA.COM>
From: Kerb <kerb@FNUSA.COM>
X-To: "BUGTRAQ@securityfocus.com" <BUGTRAQ@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
I am running a RedHat 5.2 box, rebuilt basically everything (and working on
what I havent), and I _didn't_ install Apache off the CD during installation,
and opted to download 1.3.6 from www.apache.org in source code. I compiled
the source, and I was in the process of getting it all set up in a directory
structure familiar to me, and I noticed a "cachemgr.cgi" in my
/home/httpd/cgi-bin
directory. I didnt know what it was, so as soon as I saw it, I automatically
did a "chmod 000 cachemgr.cgi". I enabled it once after that to test it to see
what it was, but I didnt really have the time nor the patience to really do
much, but I know that there is no way to really restrict access to it from what
I have seen, and it is also a binary, so I do not trust it. As a CGI
programmer, I know the inherent risks of CGI programs w/ power like that. So,
basically, what this Email is about is that I dont think that its just an RH
6.0 specific issue, I think it involves all builds of Apache 1.3.6 (and
others?). Also, it could have POSSIBLY been Squid, which I installed as a
proxy cache. Just some thoughts....
-Kerb
On Friday, July 23, 1999 6:37 PM, daniel@NEWS.GUS.NET
[SMTP:daniel@NEWS.GUS.NET] wrote:
: Hi... After installing Redhat 6.0, I looked around a bit and I
: noticed something interesting:
: In /home/httpd/cgi-bin there is a CGI program called cachemgr.cgi,
: and it can be accessed by remote users by default.
: So I went to look at it, and I noticed that what it does is it
: lets any user connect to any hostname/port he/she chooses via the
: interface it provides.. and then see the connection results -
: if the connection was not successful it prints out the full connect() error;
: otherwise it just stays frozen, waiting for HTTP data, or httpd might
: give you an "Internal Server Error" - Both of those mean that a connection
: has been established.
: This is what it looks like from lynx:
:
: Cache Manager Interface
:
: This is a WWW interface to the instrumentation interface for the Squid
: object cache.
: _________________________________________________________________
:
: Cache Host: localhost_____________________
: Cache Port: 3128__________________________
: Manager name: ______________________________
: Password: ______________________________
:
: Continue...
:
: This is, obviously, not good, because this CGI program can be used as a
: powerful portscanning or a denial of service tool. I suggest that Redhat
: 6.0 users check to see if they have it, and then disable it if they do.
:
: - Daniel (daniel@news.gus.net)
