The affected package is squid, not apache. If you haven't installed squid
your fine, if you've installed squid and not configured it you should do
so. If you don't know what squid is you probably don't need it. The
program works as expected, it will return a server error upon timeout,
prints connect messages on a network error. Remove it or secure it, we
could seperate it and patch apache config files but that is bound to cause
problems with larger servers, and there isnt a real need for an admin-only
cgi-bin quite yet as there are very few that we supply.
On Sat, 24 Jul 1999, James J. Capone wrote:
> This could also go for Mandrake 6.0 that same file is in the cgi-bin directory.
>Cover yourselves...
>
> James J. Capone
>
> *******************
> Webmaster http://www.linuxuser.8m.com
> Webmaster http://www.teammajestic.8m.com
> Asst. Webmaster http://www.ptm.com
> Co-Author: Linux For Newbies
>
> "Even Common People Can Attain Uncommon Results"
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> Sent: Friday, July 23, 1999 7:37 PM
> To: [EMAIL PROTECTED]
> Subject: Redhat 6.0 cachemgr.cgi lameness
>
> Hi... After installing Redhat 6.0, I looked around a bit and I
> noticed something interesting:
> In /home/httpd/cgi-bin there is a CGI program called cachemgr.cgi,
> and it can be accessed by remote users by default.
> So I went to look at it, and I noticed that what it does is it
> lets any user connect to any hostname/port he/she chooses via the
> interface it provides.. and then see the connection results -
> if the connection was not successful it prints out the full connect() error;
> otherwise it just stays frozen, waiting for HTTP data, or httpd might
> give you an "Internal Server Error" - Both of those mean that a connection
> has been established.
> This is what it looks like from lynx:
>
> Cache Manager Interface
>
> This is a WWW interface to the instrumentation interface for the Squid
> object cache.
> _________________________________________________________________
>
> Cache Host: localhost_____________________
> Cache Port: 3128__________________________
> Manager name: ______________________________
> Password: ______________________________
>
> Continue...
>
> This is, obviously, not good, because this CGI program can be used as a
> powerful portscanning or a denial of service tool. I suggest that Redhat
> 6.0 users check to see if they have it, and then disable it if they do.
>
> - Daniel ([EMAIL PROTECTED])
>
