[1553] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] FYI: Possible information disclosure in cfingerd.

daemon@ATHENA.MIT.EDU (Alexander O. Yuriev)
Mon May 26 16:57:58 1997

From: "Alexander O. Yuriev" <alex@yuriev.com>
To: linux-security@redhat.com
Date: Mon, 26 May 97 14:06:46 -0400
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com


Hi,
	This is FYI. Lets not start discussion on a topic of "my fingerd is
better than yours".


Alex

------- Forwarded Message

Return-Path: owner-bugtraq@NETSPACE.ORG
Message-ID: <199705240145.WAA11413@morcego.linkway.com.br>
Date: 	Fri, 23 May 1997 22:45:04 -0300
Reply-To: Rodrigo Barbosa <rodrigob@MORCEGO.LINKWAY.COM.BR>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Rodrigo Barbosa <rodrigob@MORCEGO.LINKWAY.COM.BR>
Approved: alex@yuriev.com
Subject:      cfingerd vulnerability
To: BUGTRAQ@NETSPACE.ORG

Hello,
        i don't know if it has been noticed before, but cfingerd installs,
by default, a search service. You can use it as:

finger search.username@host

Thats ok, but you can use keymasks. And if you do:

finger search.*@host

you can get a list of all the users in the system.

I've tried it if cfinger 1.2.2 (probably it is not the latest version).

- --
Rodrigo Barbosa       (Personal e-mail: rodrigob@darkover.org )
Network Administrator (Work e-mail    : rodrigob@morcego.linkway.com.br )
PGP Key,HomePage address etc: finger rodrigob@morcego.linkway.com.br
PGP Fingerprint: [ D9 15 02 9E 72 32 5A 0A  AC F0 DA 11 6A 4C A3 12 ]
   --> Except where explicitly stated I speak on my own behalf. <--

------- End of Forwarded Message


home help back first fref pref prev next nref lref last post