Bug 245564

Summary: localhost.localdomain open for access
Product: Red Hat Enterprise Linux 5 Reporter: Denise Dumas <ddumas>
Component: squidAssignee: Martin Nagy <mnagy>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: high    
Version: 5.0CC: hripps
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-22 15:19:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Florian La Roche 2007-06-25 13:39:25 UTC 
Description of problem:

The file /etc/httpd/conf.d/squid.conf file contains per default:

<Location /Squid/cgi-bin/cachemgr.cgi>
 order allow,deny
 allow from localhost.localdomain
 # Add additional allowed hosts as needed
 # allow from .example.com
</Location>


This should open up this entry for all people who add a reverse DNS
name of localhost.localdomain for their own IP and should thus be
a security risk.

regards,

Florian La Roche

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Mark J. Cox 2007-06-25 13:46:53 UTC 
apache does a double reverse DNS lookup:

"    Example: Allow from apache.org
    Hosts whose names match, or end in, this string are allowed access. Only
complete components are matched, so the above example will match foo.apache.org
but it will not match fooapache.org. This configuration will cause the server to
perform a double reverse DNS lookup on the client IP address, regardless of the
setting of the HostnameLookups directive. It will do a reverse DNS lookup on the
IP address to find the associated hostname, and then do a forward lookup on the
hostname to assure that it matches the original IP address. Only if the forward
and reverse DNS are consistent and the hostname matches will access be allowed."

Therefore this isn't a security issue unless attacker also has access to local
DNS so that (anything).localhost.localdomain points to them.
Comment 2 Florian La Roche 2007-07-04 11:19:32 UTC 
Adding access to IPv4 _and_ IPv6 might be another reason to change this.
Some other rpms do that already, some also then hardcode 127.0.0.1 only.

regards,

Florian La Roche
Comment 3 Florian La Roche 2008-01-30 09:46:24 UTC 
No need to keep this bz open for too long. ;-) Just decide if the
current config should stay or if you want to change it and then close
this bz.

regards,

Florian La Roche
Comment 5 Martin Nagy 2008-04-22 15:19:27 UTC 
Closing as NOTABUG since this is not really an issue as pointed out by Mark.