Signature Detail

SCAN: Cachemgr.cgi Access

This signature detects access to the squid cachemgr.cgi script. Attackers can use this script as a denial-of-service (DoS) attack tool.

Extended Description

The 'cachemgr.cgi' module is a management interface for the Squid proxy service. It was installed by default in '/cgi-bin' by Red Hat Linux 5.2 and 6.0 installed with Squid. This script prompts for a host and port, which it then tries to connect to. If a webserver such as Apache is running, this can be used to connect to arbitrary hosts and ports, allowing for potential use as an intermediary in denial-of-service attacks, proxied port scans, etc. Interpreting the output of the script can allow the attacker to determine whether or not a connection was established.

Affected Products

• Debian Linux 3.0.0
• Debian Linux 3.0.0 Alpha
• Debian Linux 3.0.0 Arm
• Debian Linux 3.0.0 Hppa
• Debian Linux 3.0.0 Ia-32
• Debian Linux 3.0.0 Ia-64
• Debian Linux 3.0.0 M68k
• Debian Linux 3.0.0 Mips
• Debian Linux 3.0.0 Mipsel
• Debian Linux 3.0.0 Ppc
• Debian Linux 3.0.0 S/390
• Debian Linux 3.0.0 Sparc
• National Science Foundation Squid Web Proxy 2.2.0
• Red Hat Advanced Workstation for the Itanium Processor 2.1.0 IA64
• Red Hat Desktop 3.0.0
• Red Hat Desktop 4.0.0
• Red Hat Enterprise Linux AS 3
• Red Hat Enterprise Linux AS 4
• Red Hat Enterprise Linux ES 3
• Red Hat Enterprise Linux ES 4
• Red Hat Enterprise Linux WS 3
• Red Hat Enterprise Linux WS 4
• Red Hat Fedora Core1
• Red Hat Fedora Core2
• Red Hat Fedora Core3
• Red Hat Linux 7.3.0 I386
• Red Hat Linux 9.0.0 I386
• SGI ProPack 3.0.0 SP5

References

• BugTraq: 2059
• CVE: CVE-1999-0710