Re: BoS: cfingerd vulnerability


Robert Stone (rstone@accesscom.com)
Mon, 26 May 1997 11:37:01 -0700 (PDT)


On Fri, 23 May 1997, Rodrigo Barbosa wrote:

> Date: Fri, 23 May 1997 22:45:04 -0300
> From: Rodrigo Barbosa <rodrigob@MORCEGO.LINKWAY.COM.BR>
> To: best-of-security@suburbia.net
> Subject: BoS: cfingerd vulnerability
> Resent-Date: Sun, 25 May 1997 17:05:05 +1000 (EST)
> Resent-From: best-of-security@suburbia.net
>
>
> Hello,
> i don't know if it has been noticed before, but cfingerd installs,
> by default, a search service. You can use it as:
>
> finger search.username@host
>
> Thats ok, but you can use keymasks. And if you do:
>
> finger search.*@host
>
> you can get a list of all the users in the system.
>
> I've tried it if cfinger 1.2.2 (probably it is not the latest version).
>

version 1.3.2 does not allow "search.*@host", but a little thought
about regexps and "search..*@host" should do exactly the same thing on any
normal system and is allowed.

but the question remains... how do we turn it off?
                                                                -Robert



This archive was generated by hypermail 2.0b3 on Sun Aug 08 1999 - 10:47:54 CEST