I am running a RedHat 5.2 box, rebuilt basically everything (and working on
what I havent), and I _didn't_ install Apache off the CD during installation,
and opted to download 1.3.6 from www.apache.org in source code. I compiled
the source, and I was in the process of getting it all set up in a directory
structure familiar to me, and I noticed a "cachemgr.cgi" in my
/home/httpd/cgi-bin
directory. I didnt know what it was, so as soon as I saw it, I automatically
did a "chmod 000 cachemgr.cgi". I enabled it once after that to test it to see
what it was, but I didnt really have the time nor the patience to really do
much, but I know that there is no way to really restrict access to it from what
I have seen, and it is also a binary, so I do not trust it. As a CGI
programmer, I know the inherent risks of CGI programs w/ power like that. So,
basically, what this Email is about is that I dont think that its just an RH
6.0 specific issue, I think it involves all builds of Apache 1.3.6 (and
others?). Also, it could have POSSIBLY been Squid, which I installed as a
proxy cache. Just some thoughts....
-Kerb
On Friday, July 23, 1999 6:37 PM, [EMAIL PROTECTED]
[SMTP:[EMAIL PROTECTED]] wrote:
: Hi... After installing Redhat 6.0, I looked around a bit and I
: noticed something interesting:
: In /home/httpd/cgi-bin there is a CGI program called cachemgr.cgi,
: and it can be accessed by remote users by default.
: So I went to look at it, and I noticed that what it does is it
: lets any user connect to any hostname/port he/she chooses via the
: interface it provides.. and then see the connection results -
: if the connection was not successful it prints out the full connect() error;
: otherwise it just stays frozen, waiting for HTTP data, or httpd might
: give you an "Internal Server Error" - Both of those mean that a connection
: has been established.
: This is what it looks like from lynx:
:
: Cache Manager Interface
:
: This is a WWW interface to the instrumentation interface for the Squid
: object cache.
: _________________________________________________________________
:
: Cache Host: localhost_____________________
: Cache Port: 3128__________________________
: Manager name: ______________________________
: Password: ______________________________
:
: Continue...
:
: This is, obviously, not good, because this CGI program can be used as a
: powerful portscanning or a denial of service tool. I suggest that Redhat
: 6.0 users check to see if they have it, and then disable it if they do.
:
: - Daniel ([EMAIL PROTECTED])
