Decurity concern: cachemgr & GET method ?

From: Juergen Kuersch <>
Date: Mon, 11 Jan 1999 09:15:01 +0100


Hi out there,

I hope this was not on this list before, however, I could not find a hint
in the archives.

Cachemgr obviously uses http's GET method to send the manager's name and
the password to the cache. This implies that

1.) the password is (encrypted) part of the URL sent to squid, and as such
    is stored in the browser's history file. A typical request sent to squid
    looks like


2.) the password is part of the URL sent to the server running the cachemgr.cgi
    program (a typical request for the Cache Manager menu looks like
    meaning it becomes part of the browser's history *and* part of the
    web server's access.log WITHOUT ANY ENCRYPTION.

Especially if you invoke the cache manager CGI on web browsers under insecure
operating systems, i.e. OSs without user-based access control, at least any
user with access to the client might look at your history and, consequently,
could access the cache manager information, as well as shutdown the proxy.

Wouldn't it improve security if the cache manager functionality was completely
based on http's POST method (not to mention SSL, of course), in order to keep
it from being added to history and access.log files ?

Are there possibly any patches addressing this somewhere ?

        Juergen Kuersch

- --
- ----------------------------------------------------------------------
  Juergen Kuersch,
  Electrical Engineering and Computer Systems, RWTH Aachen, Germany
     PGP public key (0x830E1B55) available at public key servers

Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

Received on Mon Jan 11 1999 - 01:12:59 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:57 MST