From the SQUID FAQ ( found at : "http//squid.nlanr.net/Squid/FAQ/" ) : << The cache manager (cachemgr.cgi) is a CGI utility for displaying statistics about the squid process as it runs. The cache manager is a convenient way to manage the cache and view statistics without logging into the server. >> Looking around all this "cachemgr.cgi" stuff on a RH5.2 system ( with Squid 2.2 STABLE installed ), I found another "squid-related" hole. The hole is in the "cachemgr_passwd" directive in Squid's configuration file ( "squid.conf" ). This directive is used to specify the cache manager's password. The problem is that the password is specified in PLAIN TEXT and "squid.conf" is by default with mode 644 ( if I'm not wrong ). I did not found any information about useing an encrypted manager password in squid.conf". Cheers Boutzev
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:12 PDT