******************* Webmaster http://www.linuxuser.8m.com Webmaster http://www.teammajestic.8m.com Asst. Webmaster http://www.ptm.com Co-Author: Linux For Newbies "Even Common People Can Attain Uncommon Results" -----Original Message----- From: James J. Capone Sent: Saturday, July 24, 1999 10:35 PM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: [expert] FW: Redhat 6.0 cachemgr.cgi lameness This could also go for Mandrake 6.0 that same file is in the cgi-bin directory. Cover yourselves... James J. Capone ******************* Webmaster http://www.linuxuser.8m.com Webmaster http://www.teammajestic.8m.com Asst. Webmaster http://www.ptm.com Co-Author: Linux For Newbies "Even Common People Can Attain Uncommon Results" -----Original Message----- From: [EMAIL PROTECTED] Sent: Friday, July 23, 1999 7:37 PM To: [EMAIL PROTECTED] Subject: Redhat 6.0 cachemgr.cgi lameness Hi... After installing Redhat 6.0, I looked around a bit and I noticed something interesting: In /home/httpd/cgi-bin there is a CGI program called cachemgr.cgi, and it can be accessed by remote users by default. So I went to look at it, and I noticed that what it does is it lets any user connect to any hostname/port he/she chooses via the interface it provides.. and then see the connection results - if the connection was not successful it prints out the full connect() error; otherwise it just stays frozen, waiting for HTTP data, or httpd might give you an "Internal Server Error" - Both of those mean that a connection has been established. This is what it looks like from lynx: Cache Manager Interface This is a WWW interface to the instrumentation interface for the Squid object cache. _________________________________________________________________ Cache Host: localhost_____________________ Cache Port: 3128__________________________ Manager name: ______________________________ Password: ______________________________ Continue... This is, obviously, not good, because this CGI program can be used as a powerful portscanning or a denial of service tool. I suggest that Redhat 6.0 users check to see if they have it, and then disable it if they do. - Daniel ([EMAIL PROTECTED])
