COMMAND
cachemgr.cgi
SYSTEMS AFFECTED
RedHat 6.0
PROBLEM
Daniel found following. After installing Redhat 6.0, he looked
around a bit and noticed something interesting: In
/home/httpd/cgi-bin there is a CGI program called cachemgr.cgi,
and it can be accessed by remote users by default. So if you
look at it, you will notice that what it does is it lets any user
connect to any hostname/port he/she chooses via the interface it
provides.. and then see the connection results - if the connection
was not successful it prints out the full connect() error;
otherwise it just stays frozen, waiting for HTTP data, or httpd
might give you an "Internal Server Error" - Both of those mean
that a connection has been established. This is what it looks
like from lynx:
Cache Manager Interface
This is a WWW interface to the instrumentation interface for the Squid
object cache.
_________________________________________________________________
Cache Host: localhost_____________________
Cache Port: 3128__________________________
Manager name: ______________________________
Password: ______________________________
Continue...
This is, obviously, not good, because this CGI program can be used
as a powerful portscanning or a denial of service tool.
From the SQUID FAQ (found at: "http//squid.nlanr.net/Squid/FAQ/"):
The cache manager (cachemgr.cgi) is a CGI utility for
displaying statistics about the squid process as it runs.
The cache manager is a convenient way to manage the cache and
view statistics without logging into the server.
Looking around all this "cachemgr.cgi" stuff on a RH5.2 system
(with Squid 2.2 STABLE installed), one can easily find another
"squid-related" hole. The hole is in the "cachemgr_passwd"
directive in Squid's configuration file ("squid.conf"). This
directive is used to specify the cache manager's password. The
problem is that the password is specified in PLAIN TEXT and
"squid.conf" is by default with mode 644 (by Boutzev).
SOLUTION
cachemgr.cgi is the manager interface to Squid web proxy/cache
server. As all manager interface tools access to it SHOULD have
restricted access by default, not open for public access. If you
are not using the box as a Squid www proxy/cache server then
uninstall the package by executing
/etc/rc.d/init.d/squid stop ; rpm -e squid
If you are indeed using the Squid proxy server software, then make
the following actions to at least minimally secure access the
manager interface:
mkdir /home/httpd/protected-cgi-bin
mv /home/httpd/cgi-bin/cachemgr.cgi /home/httpd/protected-cgi-bin/
and add the following directives to /etc/httpd/conf/access.conf
and srm.conf
--- start access.conf segment ---
# Protected cgi-bin directory for programs that
# should not have public access
<Directory /home/httpd/protected-cgi-bin>
order deny,allow
deny from all
allow from localhost
#allow from .your_domain.com
AllowOverride None
Options ExecCGI
</Directory>
--- end access.conf segment ---
--- start srm.conf segment ---
ScriptAlias /protected-cgi-bin/ /home/httpd/protected-cgi-bin/
--- end srm.conf segment ---
Then execute "/etc/rc.d/init.d/httpd restart" to reconfigure your
Apache HTTP server to allow localhost access to
http://localhost/protected-cgi-bin/cachemgr.cgi
Change the allow rules accordingly if you have other stations
that need access to the protected-cgi-bin directory. You are also
recommended to move any other cgi-bin programs not inteded for
public access from /home/httpd/cgi-bin to
/home/httpd/protected-cgi-bin, if you have any. Squid does not
install cachemgr.cgi in a HTTP accessible directory by default.
RedHat patches:
ftp://updates.redhat.com/6.0/i386/squid-2.2.STABLE4-5.i386.rpm
ftp://updates.redhat.com/6.0/alpha/squid-2.2.STABLE4-5.alpha.rpm
ftp://updates.redhat.com/6.0/sparc/squid-2.2.STABLE4-5.sparc.rpm
ftp://updates.redhat.com/6.0/SRPMS/squid-2.2.STABLE4-5.src.rpm
ftp://updates.redhat.com/5.2/i386/squid-2.2.STABLE4-0.5.2.i386.rpm
ftp://updates.redhat.com/5.2/alpha/squid-2.2.STABLE4-0.5.2.alpha.rpm
ftp://updates.redhat.com/5.2/sparc/squid-2.2.STABLE4-0.5.2.sparc.rpm
ftp://updates.redhat.com/5.2/SRPMS/squid-2.2.STABLE4-0.5.2.src.rpm