Bugtraq mailing list archives
Redhat 6.0 cachemgr.cgi lameness
From: daniel () NEWS GUS NET (daniel () NEWS GUS NET)
Date: Fri, 23 Jul 1999 16:36:32 -0700
Hi... After installing Redhat 6.0, I looked around a bit and I
noticed something interesting:
In /home/httpd/cgi-bin there is a CGI program called cachemgr.cgi,
and it can be accessed by remote users by default.
So I went to look at it, and I noticed that what it does is it
lets any user connect to any hostname/port he/she chooses via the
interface it provides.. and then see the connection results -
if the connection was not successful it prints out the full connect() error;
otherwise it just stays frozen, waiting for HTTP data, or httpd might
give you an "Internal Server Error" - Both of those mean that a connection
has been established.
This is what it looks like from lynx:
Cache Manager Interface
This is a WWW interface to the instrumentation interface for the Squid
object cache.
_________________________________________________________________
Cache Host: localhost_____________________
Cache Port: 3128__________________________
Manager name: ______________________________
Password: ______________________________
Continue...
This is, obviously, not good, because this CGI program can be used as a
powerful portscanning or a denial of service tool. I suggest that Redhat
6.0 users check to see if they have it, and then disable it if they do.
- Daniel (daniel () news gus net)
Current thread:
- L0pht Heavy Industries - AntiSniff, (continued)
- L0pht Heavy Industries - AntiSniff Alex Yu (Jul 23)
- Trojan Horse Guard - Cassandra GOLD Release. Jonathan James (Jul 23)
- Troff dangerous. Pawel Wilk (Jul 23)
- New way to pay in advance for ToorCon '99 in San Diego, California Ben (Jul 24)
- Re: Troff dangerous. CyberPsychotic (Jul 25)
- Re: Troff dangerous. Pavel Kankovsky (Jul 25)
- Re: Troff dangerous. Warner Losh (Jul 27)
- Re: Troff dangerous. Julian Squires (Aug 02)
- Re: Troff dangerous. Olaf Kirch (Jul 26)
- IBM-ERS Security Vulnerability Alert: IBM AIX: Non-root users can cause the system to crash ibm-ers () ERS IBM COM (Jul 26)
- Redhat 6.0 cachemgr.cgi lameness daniel () NEWS GUS NET (Jul 23)
- Re: Redhat 6.0 cachemgr.cgi lameness Henrik Nordstrom (Jul 25)
