Description of problem: The file /etc/httpd/conf.d/squid.conf file contains per default: <Location /Squid/cgi-bin/cachemgr.cgi> order allow,deny allow from localhost.localdomain # Add additional allowed hosts as needed # allow from .example.com </Location> This should open up this entry for all people who add a reverse DNS name of localhost.localdomain for their own IP and should thus be a security risk. regards, Florian La Roche Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
apache does a double reverse DNS lookup: " Example: Allow from apache.org Hosts whose names match, or end in, this string are allowed access. Only complete components are matched, so the above example will match foo.apache.org but it will not match fooapache.org. This configuration will cause the server to perform a double reverse DNS lookup on the client IP address, regardless of the setting of the HostnameLookups directive. It will do a reverse DNS lookup on the IP address to find the associated hostname, and then do a forward lookup on the hostname to assure that it matches the original IP address. Only if the forward and reverse DNS are consistent and the hostname matches will access be allowed." Therefore this isn't a security issue unless attacker also has access to local DNS so that (anything).localhost.localdomain points to them.
Adding access to IPv4 _and_ IPv6 might be another reason to change this. Some other rpms do that already, some also then hardcode 127.0.0.1 only. regards, Florian La Roche
No need to keep this bz open for too long. ;-) Just decide if the current config should stay or if you want to change it and then close this bz. regards, Florian La Roche
Closing as NOTABUG since this is not really an issue as pointed out by Mark.