Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: cfingerd vulnerability

From: leitner () MATH FU-BERLIN DE (Felix von Leitner)
Date: Mon, 26 May 1997 02:51:57 +0200

Thus spake Rodrigo Barbosa (rodrigob () MORCEGO LINKWAY COM BR):


Hello,
        i don't know if it has been noticed before, but cfingerd installs,
by default, a search service. You can use it as:

finger search.username@host

Thats ok, but you can use keymasks. And if you do:

finger search.*@host

you can get a list of all the users in the system.

I've tried it if cfinger 1.2.2 (probably it is not the latest version).


May I point to my ffingerd which was written to get rid of this kind of
problem with finger daemons?

  ftp://ftp.fu-berlin.de/pub/unix/security/ffingerd/

Even comes with ./configure for easy installation.

Felix

--
Fire, water and government know nothing of mercy.
        --Albanian Proverb
Previous By Date Next
Previous By Thread Next

Current thread: