Subject: Security hole in cfingerd 1.4.2
From: Peter Todd (pete@home.com)
Date: Thu May 04 2000 - 23:31:06 CEST
You can find out stuff about the file structure of a cfingerd running
system by passing * and ? as fake_user arguments. For instance if you
use the ping fake user script in the examples you can check if /tmp
exists by running finger "ping./tm?@somesite" If /tmp exists ping will
say "Performing a ping to /tmp" if not it will say "Performing a ping
to /tm?"
You don't seem to escape * and ? in the safe_exec() code. I would have
made a patch myself but I didn't know what repercussions that would
have...
Another problem is the ping and trace fake user scripts don't seem to
work when you supply a empty argument to them. For instance finger
ping.@somesite makes ping and trace output some binary junk.
-- retep@penguinpowered.com http://retep.tripod.com
This archive was generated by hypermail 2b25 : Thu May 04 2000 - 23:32:46 CEST