Red Hat Advisory: Potential misuse of squid cachemgr.cgi

---------------------------------------------------------------------
           Red Hat, Inc. Security Advisory

Synopsis:       Potential misuse of squid cachemgr.cgi
Advisory ID:        RHSA-1999:025-01
Issue date:     1999-07-29
Updated on:
Keywords:       squid cachemgr.cgi connect
Cross references:
---------------------------------------------------------------------

1. Topic:

cachemgr.cgi, the manager interface to Squid, is installed by default in /home/httpd/cgi-bin. If a web server (such as apache) is running, this can allow remote users to sent connect() requests from the local machine to arbitrary hosts and ports.

2. Bug IDs fixed:

3. Relevant releases/architectures:

Red Hat Linux 6.0, all architectures
Red Hat Linux 5.2, all architectures

4. Obsoleted by:

5. Conflicts with:

6. RPMs required:

Red Hat Linux 6.0:

Intel:
ftp://updates.redhat.com/6.0/i386/squid-2.2.STABLE4-5.i386.rpm

Alpha:
ftp://updates.redhat.com/6.0/alpha/squid-2.2.STABLE4-5.alpha.rpm

Sparc:
ftp://updates.redhat.com/6.0/sparc/squid-2.2.STABLE4-5.sparc.rpm

Source packages:
ftp://updates.redhat.com/6.0/SRPMS/squid-2.2.STABLE4-5.src.rpm

Red Hat Linux 5.2:

Intel:
ftp://updates.redhat.com/5.2/i386/squid-2.2.STABLE4-0.5.2.i386.rpm

Alpha:
ftp://updates.redhat.com/5.2/alpha/squid-2.2.STABLE4-0.5.2.alpha.rpm

Sparc:
ftp://updates.redhat.com/5.2/sparc/squid-2.2.STABLE4-0.5.2.sparc.rpm

Source packages:
ftp://updates.redhat.com/5.2/SRPMS/squid-2.2.STABLE4-0.5.2.src.rpm

7. Problem description:

A remote user could enter a hostname/IP address and port number, and the cachemgr CGI would attempt to connect to that host and port, printing the error if it fails.

8. Solution:

For each RPM for your particular architecture, run:

rpm -Uvh <filename>

where filename is the name of the RPM.

Alternatively, you can simply disable the cachemgr.cgi, by editing your http daemons access control files or deleting/moving the cachemgr.cgi binary.