Bug 245564 - localhost.localdomain open for access
Summary: localhost.localdomain open for access
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: squid (Show other bugs)
(Show other bugs)
Version: 5.0
Hardware: All Linux
Target Milestone: ---
: ---
Assignee: Martin Nagy
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2007-06-25 13:39 UTC by Denise Dumas
Modified: 2016-07-26 23:46 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-04-22 15:19:27 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Florian La Roche 2007-06-25 13:39:25 UTC
Description of problem:

The file /etc/httpd/conf.d/squid.conf file contains per default:

<Location /Squid/cgi-bin/cachemgr.cgi>
 order allow,deny
 allow from localhost.localdomain
 # Add additional allowed hosts as needed
 # allow from .example.com

This should open up this entry for all people who add a reverse DNS
name of localhost.localdomain for their own IP and should thus be
a security risk.


Florian La Roche

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 Mark J. Cox 2007-06-25 13:46:53 UTC
apache does a double reverse DNS lookup:

"    Example: Allow from apache.org
    Hosts whose names match, or end in, this string are allowed access. Only
complete components are matched, so the above example will match foo.apache.org
but it will not match fooapache.org. This configuration will cause the server to
perform a double reverse DNS lookup on the client IP address, regardless of the
setting of the HostnameLookups directive. It will do a reverse DNS lookup on the
IP address to find the associated hostname, and then do a forward lookup on the
hostname to assure that it matches the original IP address. Only if the forward
and reverse DNS are consistent and the hostname matches will access be allowed."

Therefore this isn't a security issue unless attacker also has access to local
DNS so that (anything).localhost.localdomain points to them.

Comment 2 Florian La Roche 2007-07-04 11:19:32 UTC
Adding access to IPv4 _and_ IPv6 might be another reason to change this.
Some other rpms do that already, some also then hardcode only.


Florian La Roche

Comment 3 Florian La Roche 2008-01-30 09:46:24 UTC
No need to keep this bz open for too long. ;-) Just decide if the
current config should stay or if you want to change it and then close
this bz.


Florian La Roche

Comment 5 Martin Nagy 2008-04-22 15:19:27 UTC
Closing as NOTABUG since this is not really an issue as pointed out by Mark.

Note You need to log in before you can comment on or make changes to this bug.