For those of you following the thread on RedHat default install of
cachemgr.cgi.
What the updated RPM apparently does (besides upgrading to a current
version of Squid) is to move cachemgr.cgi back to
/usr/lib/squid/cachemgr.cgi, it is then the responsibility of the server
manager to set up proper HTTP access to this CGI program if they want to
use it.
-- Henrik Nordstrom Spare time Squid hacker
attached mail follows:
---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: Potential misuse of squid cachemgr.cgi
Advisory ID: RHSA-1999:025-01
Issue date: 1999-07-29
Updated on:
Keywords: squid cachemgr.cgi connect
Cross references:
---------------------------------------------------------------------
1. Topic:
cachemgr.cgi, the manager interface to Squid, is installed by
default in /home/httpd/cgi-bin. If a web server (such as apache)
is running, this can allow remote users to sent connect() requests
from the local machine to arbitrary hosts and ports.
2. Bug IDs fixed:
3. Relevant releases/architectures:
Red Hat Linux 6.0, all architectures
Red Hat Linux 5.2, all architectures
4. Obsoleted by:
5. Conflicts with:
6. RPMs required:
Red Hat Linux 6.0:
Intel:
ftp://updates.redhat.com/6.0/i386/squid-2.2.STABLE4-5.i386.rpm
Alpha:
ftp://updates.redhat.com/6.0/alpha/squid-2.2.STABLE4-5.alpha.rpm
Sparc:
ftp://updates.redhat.com/6.0/sparc/squid-2.2.STABLE4-5.sparc.rpm
Source packages:
ftp://updates.redhat.com/6.0/SRPMS/squid-2.2.STABLE4-5.src.rpm
Red Hat Linux 5.2:
Intel:
ftp://updates.redhat.com/5.2/i386/squid-2.2.STABLE4-0.5.2.i386.rpm
Alpha:
ftp://updates.redhat.com/5.2/alpha/squid-2.2.STABLE4-0.5.2.alpha.rpm
Sparc:
ftp://updates.redhat.com/5.2/sparc/squid-2.2.STABLE4-0.5.2.sparc.rpm
Source packages:
ftp://updates.redhat.com/5.2/SRPMS/squid-2.2.STABLE4-0.5.2.src.rpm
7. Problem description:
A remote user could enter a hostname/IP address and port
number, and the cachemgr CGI would attempt to connect to that
host and port, printing the error if it fails.
8. Solution:
For each RPM for your particular architecture, run:
rpm -Uvh <filename>
where filename is the name of the RPM.
Alternatively, you can simply disable the cachemgr.cgi,
by editing your http daemons access control files or
deleting/moving the cachemgr.cgi binary.
9. Verification:
MD5 sum Package Name
--------------------------------------------------------------------------
80d527634fc8d8d2029532a628b3d924 squid-2.2.STABLE4-5.i386.rpm
65d18747148d7e3dae4249fe65c18c6b squid-2.2.STABLE4-5.alpha.rpm
734f84b949752fe39b5e58555210ff51 squid-2.2.STABLE4-5.sparc.rpm
02a93b0b1985f8d5c77eb8f3e8981eeb squid-2.2.STABLE4-5.src.rpm
175b42cc4b603242fbb95e345c14963c squid-2.2.STABLE4-0.5.2.i386.rpm
f8dfc1198e32c645ed57769a44f3aa6d squid-2.2.STABLE4-0.5.2.alpha.rpm
2e11f629d2f15af8442d6b724ea4d020 squid-2.2.STABLE4-0.5.2.sparc.rpm
0ea1522539d2aebf298881571253e13d squid-2.2.STABLE4-0.5.2.src.rpm
These packages are PGP signed by Red Hat Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nopgp <filename>
10. References:
----- End forwarded message -----
Received on Sun Aug 01 1999 - 08:25:39 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:47:49 MST