Re: Redhat 6.0 cachemgr.cgi lameness

From: Kerb (kerbat_private)
Date: Sun Jul 25 1999 - 23:28:30 PDT

Next message: Eric Moore: "Re: Troff dangerous."

Previous message: ibm-ersat_private: "IBM-ERS Security Vulnerability Alert: IBM AIX: Non-root users can"
Maybe in reply to: danielat_private: "Redhat 6.0 cachemgr.cgi lameness"
Next in thread: Henrik Nordstrom: "Re: Redhat 6.0 cachemgr.cgi lameness"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I am running a RedHat 5.2 box, rebuilt basically everything (and working on
what I havent), and I _didn't_ install Apache off the CD during installation,
and opted to download 1.3.6 from www.apache.org in source code.   I compiled
the source, and I was in the process of getting it all set up in a directory
structure familiar to me, and I noticed a "cachemgr.cgi" in my
/home/httpd/cgi-bin
directory.   I didnt know what it was, so as soon as I saw it, I automatically
did a "chmod 000 cachemgr.cgi".  I enabled it once after that to test it to see
what it was, but I didnt really have the time nor the patience to really do
much, but I know that there is no way to really restrict access to it from what
I have seen, and it is also a binary, so I do not trust it.  As a CGI
programmer, I know the inherent risks of CGI programs w/ power like that.  So,
 basically, what this Email is about is that I dont think that its just an RH
6.0 specific issue, I think it involves all builds of Apache 1.3.6 (and
others?).  Also, it could have POSSIBLY been Squid, which I installed as a
proxy cache.  Just some thoughts....

-Kerb








On Friday, July 23, 1999 6:37 PM, danielat_private
[SMTP:danielat_private] wrote:
: Hi... After installing Redhat 6.0, I looked around a bit and I
: noticed something interesting:
: In /home/httpd/cgi-bin there is a CGI program called cachemgr.cgi,
: and it can be accessed by remote users by default.
: So I went to look at it, and I noticed that what it does is it
: lets any user connect to any hostname/port he/she chooses via the
: interface it provides.. and then see the connection results -
: if the connection was not successful it prints out the full connect() error;
: otherwise it just stays frozen, waiting for HTTP data, or httpd might
: give you an "Internal Server Error" - Both of those mean that a connection
: has been established.
: This is what it looks like from lynx:
:
:                             Cache Manager Interface
:
:    This is a WWW interface to the instrumentation interface for the Squid
:    object cache.
:      _________________________________________________________________
:
:    Cache Host: localhost_____________________
:    Cache Port: 3128__________________________
:    Manager name: ______________________________
:    Password: ______________________________
:
:    Continue...
:
: This is, obviously, not good, because this CGI program can be used as a
: powerful portscanning or a denial of service tool. I suggest that Redhat
: 6.0 users check to see if they have it, and then disable it if they do.
:
: - Daniel (danielat_private)

Next message: Eric Moore: "Re: Troff dangerous."
Previous message: ibm-ersat_private: "IBM-ERS Security Vulnerability Alert: IBM AIX: Non-root users can"
Maybe in reply to: danielat_private: "Redhat 6.0 cachemgr.cgi lameness"
Next in thread: Henrik Nordstrom: "Re: Redhat 6.0 cachemgr.cgi lameness"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:53:38 PDT