Alexander O. Yuriev
1997-May-26 11:06 UTC
FYI: Possible information disclosure in cfingerd.
Hi, This is FYI. Lets not start discussion on a topic of "my fingerd is better than yours". Alex ------- Forwarded Message Return-Path: owner-bugtraq@NETSPACE.ORG Message-ID: <199705240145.WAA11413@morcego.linkway.com.br> Date: Fri, 23 May 1997 22:45:04 -0300 Reply-To: Rodrigo Barbosa <rodrigob@MORCEGO.LINKWAY.COM.BR> Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG> From: Rodrigo Barbosa <rodrigob@MORCEGO.LINKWAY.COM.BR> Approved: alex@yuriev.com Subject: cfingerd vulnerability To: BUGTRAQ@NETSPACE.ORG Hello, i don''t know if it has been noticed before, but cfingerd installs, by default, a search service. You can use it as: finger search.username@host Thats ok, but you can use keymasks. And if you do: finger search.*@host you can get a list of all the users in the system. I''ve tried it if cfinger 1.2.2 (probably it is not the latest version). - -- Rodrigo Barbosa (Personal e-mail: rodrigob@darkover.org ) Network Administrator (Work e-mail : rodrigob@morcego.linkway.com.br ) PGP Key,HomePage address etc: finger rodrigob@morcego.linkway.com.br PGP Fingerprint: [ D9 15 02 9E 72 32 5A 0A AC F0 DA 11 6A 4C A3 12 ] --> Except where explicitly stated I speak on my own behalf. <-- ------- End of Forwarded Message
Ken Hollis
1997-May-26 23:15 UTC
Re: [linux-security] FYI: Possible information disclosure in cfingerd.
What this guy is failing to tell EVERYONE on these lists is this is not a security issue because you can turn this off. Since I am no longer working on cfingerd (and have yet to find a maintainer), I have no intention to fix the bug yet. I''ve got more important things to do. However, if you find search.**@host to be a problem, I recommend this to avoid confusion or complaints: TURN OFF SEARCHING. END OF STORY. Don''t bitch about it - just turn it off! Cfingerd only provided this to be semi-compliant with GNU Fingerd. I was tempted to remove it from cfingerd altogether, but if I did that, I''d get other people breathing down my neck to turn it back on. *sigh*. You can''t please everyone. So, if you don''t want it, TURN IT OFF and stop complaining! I''m tired of copying Bugtraq in on these ANCIENT problems! -- Ken Hollis --- ---------------------------------------------------------------------- | Ken T. Hollis || Autobahn Sys Admin || Freeware/GPL Hacker | | khollis@northwest.com || Webmaster/Hacker || Linux Net Junkie | ---------------------------------------------------------------------- ^_^ -_- ;o @_@ +_+ 6_6 ^_^! ;_; *^.^* q(^_^)p $_$ v_v o_O 9.97 p_q
Maybe Matching Threads
- SMB printing server problem... HELP ME !!!
- Uncontrolled disclosure of advisories XSA-26 to XSA-32
- Response to France Telecom disclosure
- two potentially troubling posts to full-disclosure
- [Bug 3196] New: [Information Disclosure] OpenSSH_7.4p1 Raspbian-10+deb9u7 discloses OS version