--------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: Potential misuse of squid cachemgr.cgi Advisory ID: RHSA-1999:025-01 Issue date: 1999-07-29 Updated on: Keywords: squid cachemgr.cgi connect Cross references: ---------------------------------------------------------------------
1. Topic:
cachemgr.cgi, the manager interface to Squid, is installed by
default in /home/httpd/cgi-bin. If a web server (such as apache) is
running, this can allow remote users to sent connect() requests
from the local machine to arbitrary hosts and ports.
2. Bug IDs fixed:
3. Relevant releases/architectures:
Red Hat Linux 6.0, all architectures
Red Hat Linux 5.2, all architectures
4. Obsoleted by:
5. Conflicts with:
6. RPMs required:
Red Hat Linux 6.0:
Intel:
ftp://updates.redhat.com/6.0/i386/squid-2.2.STABLE4-5.i386.rpm
Alpha:
ftp://updates.redhat.com/6.0/alpha/squid-2.2.STABLE4-5.alpha.rpm
Sparc:
ftp://updates.redhat.com/6.0/sparc/squid-2.2.STABLE4-5.sparc.rpm
Source packages:
ftp://updates.redhat.com/6.0/SRPMS/squid-2.2.STABLE4-5.src.rpm
Red Hat Linux 5.2:
Intel:
ftp://updates.redhat.com/5.2/i386/squid-2.2.STABLE4-0.5.2.i386.rpm
Alpha:
ftp://updates.redhat.com/5.2/alpha/squid-2.2.STABLE4-0.5.2.alpha.rpm
Sparc:
ftp://updates.redhat.com/5.2/sparc/squid-2.2.STABLE4-0.5.2.sparc.rpm
Source packages:
ftp://updates.redhat.com/5.2/SRPMS/squid-2.2.STABLE4-0.5.2.src.rpm
7. Problem description:
A remote user could enter a hostname/IP address and port number,
and the cachemgr CGI would attempt to connect to that host and
port, printing the error if it fails.
8. Solution:
For each RPM for your particular architecture, run:
rpm -Uvh <filename>
where filename is the name of the RPM.
Alternatively, you can simply disable the cachemgr.cgi, by
editing your http daemons access control files or deleting/moving
the cachemgr.cgi binary.