>
> I just realised something. Even if I put access control on my own
> cachemgr.cgi so that only I can use it, people outside of us can
> use their own cachemgr.cgi and access information about my Squid-server
> by giving my servers FQDN and port.
>
> Please tell me I have gone completely crazy and this is impossible.
> Or what I can do about it.
>
Yes. By accessing the cachemgr.cgi that you have given permission to
access the cache info object, a user can bypass the ACL protection you
have placed on people accessing the cache object from anywhere else.
You can avoid this by protecting cachemgr.cgi using your web server
security, or change the cgi to something else (security by obscurity).
Ideally the cachemgr.cgi should have a builtin check that compares
HTTP_HOST with the ACL on Squid.
tom@iacom.com.au
Received on Sat Oct 26 1996 - 05:53:23 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:33:22 MST