4178862 1999-08-01 02:17 /122 rader/ Postmaster Mottagare: Bugtraq (import) <7144> Ärende: [RHSA-1999:025-01] Potential misuse of squid cachemgr.cgi ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@securityfocus.com Mail-Followup-To: bugtraq@securityfocus.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <19990730154240.A21665@bobby.devel.redhat.com> Date: Fri, 30 Jul 1999 15:42:40 -0400 Reply-To: Bill Nottingham <notting@REDHAT.COM> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Bill Nottingham <notting@REDHAT.COM> X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: Potential misuse of squid cachemgr.cgi Advisory ID: RHSA-1999:025-01 Issue date: 1999-07-29 Updated on: Keywords: squid cachemgr.cgi connect Cross references: --------------------------------------------------------------------- 1. Topic: cachemgr.cgi, the manager interface to Squid, is installed by default in /home/httpd/cgi-bin. If a web server (such as apache) is running, this can allow remote users to sent connect() requests from the local machine to arbitrary hosts and ports. 2. Bug IDs fixed: 3. Relevant releases/architectures: Red Hat Linux 6.0, all architectures Red Hat Linux 5.2, all architectures 4. Obsoleted by: 5. Conflicts with: 6. RPMs required: Red Hat Linux 6.0: Intel: ftp://updates.redhat.com/6.0/i386/squid-2.2.STABLE4-5.i386.rpm Alpha: ftp://updates.redhat.com/6.0/alpha/squid-2.2.STABLE4-5.alpha.rpm Sparc: ftp://updates.redhat.com/6.0/sparc/squid-2.2.STABLE4-5.sparc.rpm Source packages: ftp://updates.redhat.com/6.0/SRPMS/squid-2.2.STABLE4-5.src.rpm Red Hat Linux 5.2: Intel: ftp://updates.redhat.com/5.2/i386/squid-2.2.STABLE4-0.5.2.i386.rpm Alpha: ftp://updates.redhat.com/5.2/alpha/squid-2.2.STABLE4-0.5.2.alpha.rpm Sparc: ftp://updates.redhat.com/5.2/sparc/squid-2.2.STABLE4-0.5.2.sparc.rpm Source packages: ftp://updates.redhat.com/5.2/SRPMS/squid-2.2.STABLE4-0.5.2.src.rpm 7. Problem description: A remote user could enter a hostname/IP address and port number, and the cachemgr CGI would attempt to connect to that host and port, printing the error if it fails. 8. Solution: For each RPM for your particular architecture, run: rpm -Uvh <filename> where filename is the name of the RPM. Alternatively, you can simply disable the cachemgr.cgi, by editing your http daemons access control files or deleting/moving the cachemgr.cgi binary. 9. Verification: MD5 sum Package Name -------------------------------------------------------------------------- 80d527634fc8d8d2029532a628b3d924 squid-2.2.STABLE4-5.i386.rpm 65d18747148d7e3dae4249fe65c18c6b squid-2.2.STABLE4-5.alpha.rpm 734f84b949752fe39b5e58555210ff51 squid-2.2.STABLE4-5.sparc.rpm 02a93b0b1985f8d5c77eb8f3e8981eeb squid-2.2.STABLE4-5.src.rpm 175b42cc4b603242fbb95e345c14963c squid-2.2.STABLE4-0.5.2.i386.rpm f8dfc1198e32c645ed57769a44f3aa6d squid-2.2.STABLE4-0.5.2.alpha.rpm 2e11f629d2f15af8442d6b724ea4d020 squid-2.2.STABLE4-0.5.2.sparc.rpm 0ea1522539d2aebf298881571253e13d squid-2.2.STABLE4-0.5.2.src.rpm These packages are PGP signed by Red Hat Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nopgp <filename> 10. References: ----- End forwarded message ----- (4178862) ------------------------------------------