This could also go for Mandrake 6.0 that same file is in the cgi-bin directory. Cover
yourselves...
James J. Capone
*******************
Webmaster http://www.linuxuser.8m.com
Webmaster http://www.teammajestic.8m.com
Asst. Webmaster http://www.ptm.com
Co-Author: Linux For Newbies
"Even Common People Can Attain Uncommon Results"
-----Original Message-----
From: [EMAIL PROTECTED]
Sent: Friday, July 23, 1999 7:37 PM
To: [EMAIL PROTECTED]
Subject: Redhat 6.0 cachemgr.cgi lameness
Hi... After installing Redhat 6.0, I looked around a bit and I
noticed something interesting:
In /home/httpd/cgi-bin there is a CGI program called cachemgr.cgi,
and it can be accessed by remote users by default.
So I went to look at it, and I noticed that what it does is it
lets any user connect to any hostname/port he/she chooses via the
interface it provides.. and then see the connection results -
if the connection was not successful it prints out the full connect() error;
otherwise it just stays frozen, waiting for HTTP data, or httpd might
give you an "Internal Server Error" - Both of those mean that a connection
has been established.
This is what it looks like from lynx:
Cache Manager Interface
This is a WWW interface to the instrumentation interface for the Squid
object cache.
_________________________________________________________________
Cache Host: localhost_____________________
Cache Port: 3128__________________________
Manager name: ______________________________
Password: ______________________________
Continue...
This is, obviously, not good, because this CGI program can be used as a
powerful portscanning or a denial of service tool. I suggest that Redhat
6.0 users check to see if they have it, and then disable it if they do.
- Daniel ([EMAIL PROTECTED])
