Re: [expert] FW: Redhat 6.0 cachemgr.cgi lameness

Jean-Michel Dault Sun, 25 Jul 1999 19:40:26 -0700

This cgi must be a part of the Squid package, because it's not in Apache.

Jean-Michel Dault
[EMAIL PROTECTED]
[EMAIL PROTECTED]


On Sat, 24 Jul 1999, James J. Capone wrote:

> Date: Sat, 24 Jul 1999 22:35:14 -0400
> From: "James J. Capone" <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Subject: [expert] FW: Redhat 6.0 cachemgr.cgi lameness
> 
> This could also go for Mandrake 6.0 that same file is in the cgi-bin directory. 
>Cover yourselves...
> 
> James J. Capone
> 
> *******************
> Webmaster http://www.linuxuser.8m.com
> Webmaster http://www.teammajestic.8m.com
> Asst. Webmaster http://www.ptm.com
> Co-Author: Linux For Newbies
> 
> "Even Common People Can Attain Uncommon Results"
> 
> -----Original Message-----
> From: [EMAIL PROTECTED] 
> Sent: Friday, July 23, 1999 7:37 PM
> To:   [EMAIL PROTECTED]
> Subject:      Redhat 6.0 cachemgr.cgi lameness
> 
> Hi... After installing Redhat 6.0, I looked around a bit and I
> noticed something interesting:
> In /home/httpd/cgi-bin there is a CGI program called cachemgr.cgi,
> and it can be accessed by remote users by default.
> So I went to look at it, and I noticed that what it does is it
> lets any user connect to any hostname/port he/she chooses via the
> interface it provides.. and then see the connection results -
> if the connection was not successful it prints out the full connect() error;
> otherwise it just stays frozen, waiting for HTTP data, or httpd might
> give you an "Internal Server Error" - Both of those mean that a connection
> has been established.
> This is what it looks like from lynx:
> 
>                             Cache Manager Interface
> 
>    This is a WWW interface to the instrumentation interface for the Squid
>    object cache.
>      _________________________________________________________________
> 
>    Cache Host: localhost_____________________
>    Cache Port: 3128__________________________
>    Manager name: ______________________________
>    Password: ______________________________
> 
>    Continue...
> 
> This is, obviously, not good, because this CGI program can be used as a
> powerful portscanning or a denial of service tool. I suggest that Redhat
> 6.0 users check to see if they have it, and then disable it if they do.
> 
> - Daniel ([EMAIL PROTECTED])
>
Re: [expert] FW: Redhat 6.0 cachemgr.cgi lameness

Reply via email to
