Re: Redhat 6.0 cachemgr.cgi lameness

From: Peter Boutzev (boutzevat_private)
Date: Fri Jul 30 1999 - 05:18:50 PDT

Next message: David N. Murray: "New ActiveX security problems in Windows 98 PCs"

Previous message: tacat_private: "Re: CaseID T70813: Re-open case T70813"
Maybe in reply to: danielat_private: "Redhat 6.0 cachemgr.cgi lameness"
Next in thread: Henrik Nordstrom: "Re: Redhat 6.0 cachemgr.cgi lameness"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 From the SQUID FAQ ( found at : "http//squid.nlanr.net/Squid/FAQ/" ) :

 << The cache manager (cachemgr.cgi) is a CGI utility for displaying statistics
about the  squid process as it runs. The cache manager is a convenient way to
manage the cache and  view statistics without logging into the server. >>

 Looking around all this "cachemgr.cgi" stuff on a RH5.2 system ( with Squid
2.2  STABLE installed ), I found another "squid-related" hole. The hole is in
the "cachemgr_passwd" directive in Squid's configuration file ( "squid.conf" ).
This directive is used to specify the cache manager's password. The
problem is that the password is specified in PLAIN TEXT and "squid.conf" is by
default with mode 644 ( if I'm not wrong ).

 I did not found any information about useing an encrypted manager password in
squid.conf".

Cheers

Boutzev

Next message: David N. Murray: "New ActiveX security problems in Windows 98 PCs"
Previous message: tacat_private: "Re: CaseID T70813: Re-open case T70813"
Maybe in reply to: danielat_private: "Redhat 6.0 cachemgr.cgi lameness"
Next in thread: Henrik Nordstrom: "Re: Redhat 6.0 cachemgr.cgi lameness"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:12 PDT