Re: Security hole in cfingerd 1.4.2


Subject: Re: Security hole in cfingerd 1.4.2
From: Martin Schulze (joey)
Date: Thu May 04 2000 - 23:35:19 CEST


Peter Todd wrote:
> You can find out stuff about the file structure of a cfingerd running
> system by passing * and ? as fake_user arguments. For instance if you
> use the ping fake user script in the examples you can check if /tmp
> exists by running finger "ping./tm?@somesite" If /tmp exists ping will
> say "Performing a ping to /tmp" if not it will say "Performing a ping
> to /tm?"
>
> You don't seem to escape * and ? in the safe_exec() code. I would have
> made a patch myself but I didn't know what repercussions that would
> have...

diff -u or diff -NuR would be fine.

A patch is appreciated.

Regards,

        Joey

-- 
GNU GPL: "The source will be with you... always."



This archive was generated by hypermail 2b25 : Thu May 04 2000 - 23:35:21 CEST