This cgi must be a part of the Squid package, because it's not in Apache.
Jean-Michel Dault
[EMAIL PROTECTED]
[EMAIL PROTECTED]
On Sat, 24 Jul 1999, James J. Capone wrote:
> Date: Sat, 24 Jul 1999 22:35:14 -0400
> From: "James J. Capone" <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Subject: [expert] FW: Redhat 6.0 cachemgr.cgi lameness
>
> This could also go for Mandrake 6.0 that same file is in the cgi-bin directory.
>Cover yourselves...
>
> James J. Capone
>
> *******************
> Webmaster http://www.linuxuser.8m.com
> Webmaster http://www.teammajestic.8m.com
> Asst. Webmaster http://www.ptm.com
> Co-Author: Linux For Newbies
>
> "Even Common People Can Attain Uncommon Results"
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> Sent: Friday, July 23, 1999 7:37 PM
> To: [EMAIL PROTECTED]
> Subject: Redhat 6.0 cachemgr.cgi lameness
>
> Hi... After installing Redhat 6.0, I looked around a bit and I
> noticed something interesting:
> In /home/httpd/cgi-bin there is a CGI program called cachemgr.cgi,
> and it can be accessed by remote users by default.
> So I went to look at it, and I noticed that what it does is it
> lets any user connect to any hostname/port he/she chooses via the
> interface it provides.. and then see the connection results -
> if the connection was not successful it prints out the full connect() error;
> otherwise it just stays frozen, waiting for HTTP data, or httpd might
> give you an "Internal Server Error" - Both of those mean that a connection
> has been established.
> This is what it looks like from lynx:
>
> Cache Manager Interface
>
> This is a WWW interface to the instrumentation interface for the Squid
> object cache.
> _________________________________________________________________
>
> Cache Host: localhost_____________________
> Cache Port: 3128__________________________
> Manager name: ______________________________
> Password: ______________________________
>
> Continue...
>
> This is, obviously, not good, because this CGI program can be used as a
> powerful portscanning or a denial of service tool. I suggest that Redhat
> 6.0 users check to see if they have it, and then disable it if they do.
>
> - Daniel ([EMAIL PROTECTED])
>