[2542] in bugtraq
Re: SunOS 4.1.4 fingerd
daemon@ATHENA.MIT.EDU (Ed Arnold)
Thu May 16 17:34:28 1996
Date: Thu, 16 May 1996 15:00:56 -0600
Reply-To: Ed Arnold <era@ucar.edu>
From: Ed Arnold <era@ucar.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.SUN.3.91.960516152244.20742A-100000@bigdog.fred.net> from
"Andy Dills" at May 16, 96 03:29:50 pm
andy@fred.net said:
> Just messing around I picked up a couple "logic flaws" with sun 4.1.4
> fingerd. This may happen on 4.1.X, but I haven't tested, and I am not
> motivated enough to check :>
>
> I know I have seen it written up someplace about the flaw when
> finger 0@XXX.com is done. (It shows a finger output on every user, which
> as we know, can be a very useful tool to those with bad intentions)
>
> Thus, we just added a user 0 (zero). Problem fixed.
>
> Anyway, I have found that fingering .@XXX.com also yeilds the same result.
just fyi, in case you hadn't tried it ... tcpd does a nice job of
stopping this nonsense.
