I am running a RedHat 5.2 box, rebuilt basically everything (and working on what I havent), and I _didn't_ install Apache off the CD during installation, and opted to download 1.3.6 from www.apache.org in source code. I compiled the source, and I was in the process of getting it all set up in a directory structure familiar to me, and I noticed a "cachemgr.cgi" in my /home/httpd/cgi-bin directory. I didnt know what it was, so as soon as I saw it, I automatically did a "chmod 000 cachemgr.cgi". I enabled it once after that to test it to see what it was, but I didnt really have the time nor the patience to really do much, but I know that there is no way to really restrict access to it from what I have seen, and it is also a binary, so I do not trust it. As a CGI programmer, I know the inherent risks of CGI programs w/ power like that. So, basically, what this Email is about is that I dont think that its just an RH 6.0 specific issue, I think it involves all builds of Apache 1.3.6 (and others?). Also, it could have POSSIBLY been Squid, which I installed as a proxy cache. Just some thoughts.... -Kerb On Friday, July 23, 1999 6:37 PM, danielat_private [SMTP:danielat_private] wrote: : Hi... After installing Redhat 6.0, I looked around a bit and I : noticed something interesting: : In /home/httpd/cgi-bin there is a CGI program called cachemgr.cgi, : and it can be accessed by remote users by default. : So I went to look at it, and I noticed that what it does is it : lets any user connect to any hostname/port he/she chooses via the : interface it provides.. and then see the connection results - : if the connection was not successful it prints out the full connect() error; : otherwise it just stays frozen, waiting for HTTP data, or httpd might : give you an "Internal Server Error" - Both of those mean that a connection : has been established. : This is what it looks like from lynx: : : Cache Manager Interface : : This is a WWW interface to the instrumentation interface for the Squid : object cache. : _________________________________________________________________ : : Cache Host: localhost_____________________ : Cache Port: 3128__________________________ : Manager name: ______________________________ : Password: ______________________________ : : Continue... : : This is, obviously, not good, because this CGI program can be used as a : powerful portscanning or a denial of service tool. I suggest that Redhat : 6.0 users check to see if they have it, and then disable it if they do. : : - Daniel (danielat_private)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:53:38 PDT