[1553] in linux-security and linux-alert archive
[linux-security] FYI: Possible information disclosure in cfingerd.
daemon@ATHENA.MIT.EDU (Alexander O. Yuriev)
Mon May 26 16:57:58 1997
From: "Alexander O. Yuriev" <alex@yuriev.com>
To: linux-security@redhat.com
Date: Mon, 26 May 97 14:06:46 -0400
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
Hi,
This is FYI. Lets not start discussion on a topic of "my fingerd is
better than yours".
Alex
------- Forwarded Message
Return-Path: owner-bugtraq@NETSPACE.ORG
Message-ID: <199705240145.WAA11413@morcego.linkway.com.br>
Date: Fri, 23 May 1997 22:45:04 -0300
Reply-To: Rodrigo Barbosa <rodrigob@MORCEGO.LINKWAY.COM.BR>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Rodrigo Barbosa <rodrigob@MORCEGO.LINKWAY.COM.BR>
Approved: alex@yuriev.com
Subject: cfingerd vulnerability
To: BUGTRAQ@NETSPACE.ORG
Hello,
i don't know if it has been noticed before, but cfingerd installs,
by default, a search service. You can use it as:
finger search.username@host
Thats ok, but you can use keymasks. And if you do:
finger search.*@host
you can get a list of all the users in the system.
I've tried it if cfinger 1.2.2 (probably it is not the latest version).
- --
Rodrigo Barbosa (Personal e-mail: rodrigob@darkover.org )
Network Administrator (Work e-mail : rodrigob@morcego.linkway.com.br )
PGP Key,HomePage address etc: finger rodrigob@morcego.linkway.com.br
PGP Fingerprint: [ D9 15 02 9E 72 32 5A 0A AC F0 DA 11 6A 4C A3 12 ]
--> Except where explicitly stated I speak on my own behalf. <--
------- End of Forwarded Message