Alexander O. Yuriev
1997-May-26 11:06 UTC
FYI: Possible information disclosure in cfingerd.
Hi,
This is FYI. Lets not start discussion on a topic of "my fingerd is
better than yours".
Alex
------- Forwarded Message
Return-Path: owner-bugtraq@NETSPACE.ORG
Message-ID: <199705240145.WAA11413@morcego.linkway.com.br>
Date: Fri, 23 May 1997 22:45:04 -0300
Reply-To: Rodrigo Barbosa <rodrigob@MORCEGO.LINKWAY.COM.BR>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Rodrigo Barbosa <rodrigob@MORCEGO.LINKWAY.COM.BR>
Approved: alex@yuriev.com
Subject: cfingerd vulnerability
To: BUGTRAQ@NETSPACE.ORG
Hello,
i don''t know if it has been noticed before, but cfingerd
installs,
by default, a search service. You can use it as:
finger search.username@host
Thats ok, but you can use keymasks. And if you do:
finger search.*@host
you can get a list of all the users in the system.
I''ve tried it if cfinger 1.2.2 (probably it is not the latest version).
- --
Rodrigo Barbosa (Personal e-mail: rodrigob@darkover.org )
Network Administrator (Work e-mail : rodrigob@morcego.linkway.com.br )
PGP Key,HomePage address etc: finger rodrigob@morcego.linkway.com.br
PGP Fingerprint: [ D9 15 02 9E 72 32 5A 0A AC F0 DA 11 6A 4C A3 12 ]
--> Except where explicitly stated I speak on my own behalf. <--
------- End of Forwarded Message
Ken Hollis
1997-May-26 23:15 UTC
Re: [linux-security] FYI: Possible information disclosure in cfingerd.
What this guy is failing to tell EVERYONE on these lists is this is not a
security issue because you can turn this off.
Since I am no longer working on cfingerd (and have yet to find a
maintainer), I have no intention to fix the bug yet. I''ve got more
important things to do. However, if you find search.**@host to be a
problem, I recommend this to avoid confusion or complaints:
TURN OFF SEARCHING. END OF STORY.
Don''t bitch about it - just turn it off! Cfingerd only provided this
to
be semi-compliant with GNU Fingerd. I was tempted to remove it from
cfingerd altogether, but if I did that, I''d get other people breathing
down my neck to turn it back on.
*sigh*. You can''t please everyone. So, if you don''t want it,
TURN IT OFF
and stop complaining! I''m tired of copying Bugtraq in on these ANCIENT
problems!
-- Ken Hollis
---
----------------------------------------------------------------------
| Ken T. Hollis || Autobahn Sys Admin || Freeware/GPL Hacker |
| khollis@northwest.com || Webmaster/Hacker || Linux Net Junkie |
----------------------------------------------------------------------
^_^ -_- ;o @_@ +_+ 6_6 ^_^! ;_; *^.^* q(^_^)p $_$ v_v o_O 9.97 p_q
Seemingly Similar Threads
- SMB printing server problem... HELP ME !!!
- Uncontrolled disclosure of advisories XSA-26 to XSA-32
- Response to France Telecom disclosure
- two potentially troubling posts to full-disclosure
- [Bug 3196] New: [Information Disclosure] OpenSSH_7.4p1 Raspbian-10+deb9u7 discloses OS version