Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999-q3

Bugtraq Archives: Re: Redhat 6.0 cachemgr.cgi lameness

Re: Redhat 6.0 cachemgr.cgi lameness

Henrik Nordstrom (hnoHEM.PASSAGEN.SE)
Sun, 25 Jul 1999 12:08:57 +0200

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: CyberPsychotic: "Re: Troff dangerous."
Previous message: Nick Lamb: "(How) Does AntiSniff do what is claimed?"
Next in thread: Kerb: "Re: Redhat 6.0 cachemgr.cgi lameness"

cachemgr.cgi is the manager interface to Squid web proxy/cache server.

As all manager interface tools access to it SHOULD have restricted
access by default, not open for public access.

If you are not using the box as a Squid www proxy/cache server then
uninstall the package by executing "/etc/rc.d/init.d/squid stop ; rpm -e
squid".

If you are indeed using the Squid proxy server software, then make the
following actions to at least minimally secure access the manager
interface:

mkdir /home/httpd/protected-cgi-bin
mv /home/httpd/cgi-bin/cachemgr.cgi /home/httpd/protected-cgi-bin/

and add the following directives to /etc/httpd/conf/access.conf and
srm.conf

--- start access.conf segment ---

# Protected cgi-bin directory for programs that
# should not have public access

<Directory /home/httpd/protected-cgi-bin>
order deny,allow
deny from all
allow from localhost
#allow from .your_domain.com
AllowOverride None
Options ExecCGI
</Directory>

--- end access.conf segment ---

--- start srm.conf segment ---
ScriptAlias /protected-cgi-bin/ /home/httpd/protected-cgi-bin/
--- end srm.conf segment ---

Then execute "/etc/rc.d/init.d/httpd restart" to reconfigure your Apache
HTTP server to allow localhost access to
http://localhost/protected-cgi-bin/cachemgr.cgi. Change the allow rules
accordingly if you have other stations that need access to the
protected-cgi-bin directory.

You are also recommended to move any other cgi-bin programs not inteded
for public access from /home/httpd/cgi-bin to
/home/httpd/protected-cgi-bin, if you have any.

Disclaimer: Squid does not install cachemgr.cgi in a HTTP accessible
directory by default. It is the administrators responsibility (or in
this case the RedHat package maintainer) to set up proper HTTP access to
it.

-- Henrik Nordstrom Squid developer & RedHat user

danielNEWS.GUS.NET wrote: > > Hi... After installing Redhat 6.0, I looked around a bit and I > noticed something interesting: > In /home/httpd/cgi-bin there is a CGI program called cachemgr.cgi, > and it can be accessed by remote users by default.

Next message: CyberPsychotic: "Re: Troff dangerous."
Previous message: Nick Lamb: "(How) Does AntiSniff do what is claimed?"
Next in thread: Kerb: "Re: Redhat 6.0 cachemgr.cgi lameness"

This archive was generated by hypermail 2.0b3 on Sat Jul 24 1999 - 21:25:57 CDT