[11194] in bugtraq
Re: Redhat 6.0 cachemgr.cgi lameness
daemon@ATHENA.MIT.EDU (Peter Boutzev)
Fri Jul 30 16:04:49 1999
Content-Type: text/plain
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <99073014204401.15045@wader.airfair.net>
Date: Fri, 30 Jul 1999 14:18:50 +0200
Reply-To: Peter Boutzev <boutzev@AIRFAIR.NET>
From: Peter Boutzev <boutzev@AIRFAIR.NET>
X-To: BUGTRAQ@SECURITYFOCUS.ORG
To: BUGTRAQ@SECURITYFOCUS.COM
From the SQUID FAQ ( found at : "http//squid.nlanr.net/Squid/FAQ/" ) :
<< The cache manager (cachemgr.cgi) is a CGI utility for displaying statistics
about the squid process as it runs. The cache manager is a convenient way to
manage the cache and view statistics without logging into the server. >>
Looking around all this "cachemgr.cgi" stuff on a RH5.2 system ( with Squid
2.2 STABLE installed ), I found another "squid-related" hole. The hole is in
the "cachemgr_passwd" directive in Squid's configuration file ( "squid.conf" ).
This directive is used to specify the cache manager's password. The
problem is that the password is specified in PLAIN TEXT and "squid.conf" is by
default with mode 644 ( if I'm not wrong ).
I did not found any information about useing an encrypted manager password in
squid.conf".
Cheers
Boutzev
