RedHat 6.0


    Daniel found following.   After installing Redhat  6.0, he  looked
    around   a   bit   and    noticed   something   interesting:    In
    /home/httpd/cgi-bin there  is a  CGI program  called cachemgr.cgi,
    and it  can be  accessed by  remote users  by default.   So if you
    look at it, you will notice that what it does is it lets any  user
    connect to any hostname/port  he/she chooses via the  interface it
    provides.. and then see the connection results - if the connection
    was  not  successful  it  prints  out  the  full  connect() error;
    otherwise it just  stays frozen, waiting  for HTTP data,  or httpd
    might give  you an  "Internal Server  Error" -  Both of those mean
    that a  connection has  been established.   This is  what it looks
    like from lynx:

                                Cache Manager Interface

       This is a WWW interface to the instrumentation interface for the Squid
       object cache.

       Cache Host: localhost_____________________
       Cache Port: 3128__________________________
       Manager name: ______________________________
       Password: ______________________________


    This is, obviously, not good, because this CGI program can be used
    as a powerful portscanning or a denial of service tool.

    From the SQUID FAQ (found at: "http//"):

        The  cache  manager  (cachemgr.cgi)  is  a  CGI  utility   for
        displaying statistics  about the   squid process  as it  runs.
        The cache manager is a convenient way to manage the cache  and
        view statistics without logging into the server.

    Looking around  all this  "cachemgr.cgi" stuff  on a  RH5.2 system
    (with Squid 2.2   STABLE installed), one  can easily find  another
    "squid-related"  hole.   The  hole  is  in  the  "cachemgr_passwd"
    directive  in  Squid's  configuration  file  ("squid.conf").  This
    directive is used  to specify the  cache manager's password.   The
    problem  is  that  the  password  is  specified  in PLAIN TEXT and
    "squid.conf" is by default with mode 644 (by Boutzev).


    cachemgr.cgi is  the manager  interface to  Squid web  proxy/cache
    server.  As all manager  interface tools access to it  SHOULD have
    restricted access by default, not open for public access.  If  you
    are  not  using  the  box  as  a Squid www proxy/cache server then
    uninstall the package by executing

        /etc/rc.d/init.d/squid stop ; rpm -e squid

    If you are indeed using the Squid proxy server software, then make
    the  following  actions  to  at  least minimally secure access the
    manager interface:

        mkdir /home/httpd/protected-cgi-bin
        mv /home/httpd/cgi-bin/cachemgr.cgi /home/httpd/protected-cgi-bin/

    and add  the following  directives to  /etc/httpd/conf/access.conf
    and srm.conf

    --- start access.conf segment ---

    # Protected cgi-bin directory for programs that
    # should not have public access

    <Directory /home/httpd/protected-cgi-bin>
    order deny,allow
    deny from all
    allow from localhost
    #allow from
    AllowOverride None
    Options ExecCGI

    --- end access.conf segment ---

    --- start srm.conf segment ---
    ScriptAlias /protected-cgi-bin/ /home/httpd/protected-cgi-bin/
    --- end srm.conf segment ---

    Then execute "/etc/rc.d/init.d/httpd restart" to reconfigure  your
    Apache HTTP server to allow localhost access to


    Change  the  allow  rules  accordingly  if you have other stations
    that need access to the protected-cgi-bin directory.  You are also
    recommended to  move any  other cgi-bin  programs not  inteded for
    public       access       from       /home/httpd/cgi-bin        to
    /home/httpd/protected-cgi-bin, if  you have  any.   Squid does not
    install cachemgr.cgi  in a  HTTP accessible  directory by default.

    RedHat patches: