From the SQUID FAQ ( found at : "http//squid.nlanr.net/Squid/FAQ/" ) :
<< The cache manager (cachemgr.cgi) is a CGI utility for displaying statistics
about the squid process as it runs. The cache manager is a convenient way to
manage the cache and view statistics without logging into the server. >>
Looking around all this "cachemgr.cgi" stuff on a RH5.2 system ( with Squid
2.2 STABLE installed ), I found another "squid-related" hole. The hole is in
the "cachemgr_passwd" directive in Squid's configuration file ( "squid.conf" ).
This directive is used to specify the cache manager's password. The
problem is that the password is specified in PLAIN TEXT and "squid.conf" is by
default with mode 644 ( if I'm not wrong ).
I did not found any information about useing an encrypted manager password in
squid.conf".
Cheers
Boutzev
