Squid cachemgr.cgi Unauthorized Connection Vulnerability More info: http://www.securityfocus.com/bid/2059/discussion/ There is already an exploit for this one. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Andrew please verify and patch if needed.
In fact there is no patch... The solution is not to enable cachemgr.cgi access to anyone. RedHat used to ship with cachemgr.cgi accessible in Apache cgi-bin. I don't have squid installed, but I don't think we install cachemgr.cgi world-accessible by default... Andrew, please confirm/debunk.
cyfred was last on irc over two weeks ago and has no devaway. I guess this snippet from default configuration file squid.conf is enough: # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager
Im buried up to my armpits in assignments (checked mail today for first time in a week or so) until at least this monday, feel free to change this anyone that wants to.
I'm not sure wether the default configuration options from comment #3 is enough. Someone with Squid knowledge please verify.
Default configuration in Gentoo is to allow only cachemgr access from localhost. Furthermore most actions require a password... The old bug was about putting cachemgr.cgi directly in an accessible cgi-bin, and it's definitely not the case here. Closing as WORKSFORME... Please prove me wrong by detailing how this applies to Gentoo default Squid.