Re: cfingerd 1.3.2


Andreas Bogk (andreas@ANDREAS.ORG)
Sat, 3 Jul 1999 17:19:41 -0400


"Larry W. Cashdollar" <lwcashd@BIW.COM> writes:

> An easy and quick Patch for cfingerd 1.3.2. if you really need to run finger.

If you _really_ want to run finger without having to worry, you should
use dfingerd by David Lichteblau. It is modelled after ffingerd by
Felix von Leitner.

The ffingerd blurb says:

 It disallows symbolic links as ~/.plan and ~/.project files, does not
 display unnecessary but potentially useful information for an attacker,
 like the shell or the home directory and disallows indirect and @host
 queries. A compile time option is fascist logging (even positive queries
 are syslogged).

You can get ffingerd at

 ftp://ftp.fu-berlin.de/pub/unix/security/ffingerd/ffingerd-1.21.tar.gz

dfingerd has an identical feature set, but is written in Dylan. Since
amongst the many features of Dylan are bounds checking for arrays and
dynamically growing strings, this should eliminate all buffer
overflows and associated exploits. You can find out about Dylan at:

 http://www.gwydiondylan.org/

and you can get dfingerd at

 ftp://berlin.ccc.de/pub/gd/contributions/dfingerd-0.2.tar.gz

Andreas

--
"We show that all proposed quantum bit commitment schemes are insecure because
the sender, Alice, can almost always cheat successfully by using an
Einstein-Podolsky-Rosen type of attack and delaying her measurement until she
opens her commitment." ( http://xxx.lanl.gov/abs/quant-ph/9603004 )



This archive was generated by hypermail 2.0b3 on Sun Aug 08 1999 - 09:38:43 CEST