[4570] in bugtraq
Re: cfingerd vulnerability
daemon@ATHENA.MIT.EDU (Felix von Leitner)
Mon May 26 03:10:31 1997
Date: Mon, 26 May 1997 02:51:57 +0200
Reply-To: Felix von Leitner <leitner@MATH.FU-BERLIN.DE>
From: Felix von Leitner <leitner@MATH.FU-BERLIN.DE>
X-To: Rodrigo Barbosa <rodrigob@MORCEGO.LINKWAY.COM.BR>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199705240145.WAA11413@morcego.linkway.com.br>; from Rodrigo
Barbosa on Fri, May 23, 1997 at 10:45:04PM -0300
Thus spake Rodrigo Barbosa (rodrigob@MORCEGO.LINKWAY.COM.BR):
> Hello,
> i don't know if it has been noticed before, but cfingerd installs,
> by default, a search service. You can use it as:
>
> finger search.username@host
>
> Thats ok, but you can use keymasks. And if you do:
>
> finger search.*@host
>
> you can get a list of all the users in the system.
>
> I've tried it if cfinger 1.2.2 (probably it is not the latest version).
May I point to my ffingerd which was written to get rid of this kind of
problem with finger daemons?
ftp://ftp.fu-berlin.de/pub/unix/security/ffingerd/
Even comes with ./configure for easy installation.
Felix
--
Fire, water and government know nothing of mercy.
--Albanian Proverb
