[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Redhat Alert! [RHSA-1999:025-01] Potential misuse of squid cachemgr.cgi

Subject: Redhat Alert! [RHSA-1999:025-01] Potential misuse of squid cachemgr.cgi
From: Bill Nottingham <notting@xxxxxxxxxx>
Date: Fri, 30 Jul 1999 15:42:40 -0400

FYI -- Raju

- ---------------------------------------------------------------------
		   Red Hat, Inc. Security Advisory

Synopsis:		Potential misuse of squid cachemgr.cgi
Advisory ID:		RHSA-1999:025-01
Issue date:		1999-07-29
Updated on:		
Keywords:		squid cachemgr.cgi connect
Cross references:	
- ---------------------------------------------------------------------

1. Topic:

cachemgr.cgi, the manager interface to Squid, is installed by
default in /home/httpd/cgi-bin. If a web server (such as apache)
is running, this can allow remote users to sent connect() requests
from the local machine to arbitrary hosts and ports.

2. Bug IDs fixed:

3. Relevant releases/architectures:

Red Hat Linux 6.0, all architectures
Red Hat Linux 5.2, all architectures

4. Obsoleted by:

5. Conflicts with:

6. RPMs required:

Red Hat Linux 6.0:

Intel:
  ftp://updates.redhat.com/6.0/i386/squid-2.2.STABLE4-5.i386.rpm

Alpha:
  ftp://updates.redhat.com/6.0/alpha/squid-2.2.STABLE4-5.alpha.rpm

Sparc:
  ftp://updates.redhat.com/6.0/sparc/squid-2.2.STABLE4-5.sparc.rpm

Source packages:
  ftp://updates.redhat.com/6.0/SRPMS/squid-2.2.STABLE4-5.src.rpm

Red Hat Linux 5.2:

Intel:
  ftp://updates.redhat.com/5.2/i386/squid-2.2.STABLE4-0.5.2.i386.rpm

Alpha:
  ftp://updates.redhat.com/5.2/alpha/squid-2.2.STABLE4-0.5.2.alpha.rpm

Sparc:
  ftp://updates.redhat.com/5.2/sparc/squid-2.2.STABLE4-0.5.2.sparc.rpm

Source packages:
  ftp://updates.redhat.com/5.2/SRPMS/squid-2.2.STABLE4-0.5.2.src.rpm

7. Problem description:

A remote user could enter a hostname/IP address and port
number, and the cachemgr CGI would attempt to connect to that
host and port, printing the error if it fails.

8. Solution:

For each RPM for your particular architecture, run:

rpm -Uvh <filename>

where filename is the name of the RPM.

Alternatively, you can simply disable the cachemgr.cgi,
by editing your http daemons access control files or
deleting/moving the cachemgr.cgi binary.

9. Verification:

MD5 sum                           Package Name
- --------------------------------------------------------------------------
80d527634fc8d8d2029532a628b3d924  squid-2.2.STABLE4-5.i386.rpm
65d18747148d7e3dae4249fe65c18c6b  squid-2.2.STABLE4-5.alpha.rpm
734f84b949752fe39b5e58555210ff51  squid-2.2.STABLE4-5.sparc.rpm
02a93b0b1985f8d5c77eb8f3e8981eeb  squid-2.2.STABLE4-5.src.rpm

175b42cc4b603242fbb95e345c14963c  squid-2.2.STABLE4-0.5.2.i386.rpm
f8dfc1198e32c645ed57769a44f3aa6d  squid-2.2.STABLE4-0.5.2.alpha.rpm
2e11f629d2f15af8442d6b724ea4d020  squid-2.2.STABLE4-0.5.2.sparc.rpm
0ea1522539d2aebf298881571253e13d  squid-2.2.STABLE4-0.5.2.src.rpm

These packages are PGP signed by Red Hat Inc. for security.  Our key
is available at:

http://www.redhat.com/corp/contact.html

You can verify each package with the following command:

rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:

rpm --checksig --nopgp <filename>

10. References:


- ----- End forwarded message -----

- --------------------------------------------------------------------
For more information on Linux in India visit http://www.linux-india.org/
The Linux India mailing list does not accept postings in HTML format.

------------------------------

Prev by Subject: Re: Redhat 6.0 from chip cd.
Next by Subject: RedHat Linux Y2K compliancy
Previous by thread: ILUG-Calcutta Meeting on Sunday
Next by thread: Proxy access restriction....hlp pl.
Index(es):
- Subject
- Thread