Linux Today: Linux News On Internet Time.

More on LinuxToday

Red Hat Advisory: Potential misuse of squid cachemgr.cgi

Jul 30, 1999, 17:03 (0 Talkback[s])

WEBINAR: On-demand Event

Replace Oracle with the NoSQL Engagement Database: Why and how leading companies are making the switch REGISTER >

           Red Hat, Inc. Security Advisory

Synopsis:       Potential misuse of squid cachemgr.cgi
Advisory ID:        RHSA-1999:025-01
Issue date:     1999-07-29
Updated on:
Keywords:       squid cachemgr.cgi connect
Cross references:

1. Topic:

cachemgr.cgi, the manager interface to Squid, is installed by default in /home/httpd/cgi-bin. If a web server (such as apache) is running, this can allow remote users to sent connect() requests from the local machine to arbitrary hosts and ports.

2. Bug IDs fixed:

3. Relevant releases/architectures:

Red Hat Linux 6.0, all architectures
Red Hat Linux 5.2, all architectures

4. Obsoleted by:

5. Conflicts with:

6. RPMs required:

Red Hat Linux 6.0:




Source packages:

Red Hat Linux 5.2:




Source packages:

7. Problem description:

A remote user could enter a hostname/IP address and port number, and the cachemgr CGI would attempt to connect to that host and port, printing the error if it fails.

8. Solution:

For each RPM for your particular architecture, run:

rpm -Uvh <filename>

where filename is the name of the RPM.

Alternatively, you can simply disable the cachemgr.cgi, by editing your http daemons access control files or deleting/moving the cachemgr.cgi binary.