[4573] in bugtraq
Re: cfingerd vulnerability
daemon@ATHENA.MIT.EDU (Michael Stone)
Mon May 26 03:32:13 1997
Date: Sun, 25 May 1997 16:16:39 -0400
Reply-To: Michael Stone <mstone@ITRI.LOYOLA.EDU>
From: Michael Stone <mstone@ITRI.LOYOLA.EDU>
X-To: "Edward S. Marshall" <emarshal@COMMON.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.970524225701.26959F-100000@phoenix.common.net>;
from Edward S. Marshall on Sat, May 24, 1997 at 11:41:24PM -0500
Quoting Edward S. Marshall (emarshal@COMMON.NET):
> Also, I've heard various reports of cfingerd having security problems in
> the past. Has anyone considered sitting down with it and doing a complete
> security audit? It's a nice tool to have, but if it's insecure, it
> presents a problem. I'm mainly concerned with buffer overruns and other
> similar problems, since it does require that you run it as root.
There's a patch on sunsite to make cfingerd not run as root; I haven't
tried it myself, so I don't know if it's any good. You might give it a
shot, though...
http://sunsite.unc.edu/pub/Linux/system/network/finger/
Mike Stone
