Re: cfingerd vulnerability

Felix von Leitner (leitner@MATH.FU-BERLIN.DE)
Mon, 26 May 1997 02:51:57 +0200

Thus spake Rodrigo Barbosa (rodrigob@MORCEGO.LINKWAY.COM.BR):

> Hello,
> i don't know if it has been noticed before, but cfingerd installs,
> by default, a search service. You can use it as:
>
> finger search.username@host
>
> Thats ok, but you can use keymasks. And if you do:
>
> finger search.*@host
>
> you can get a list of all the users in the system.
>
> I've tried it if cfinger 1.2.2 (probably it is not the latest version).

May I point to my ffingerd which was written to get rid of this kind of
problem with finger daemons?

ftp://ftp.fu-berlin.de/pub/unix/security/ffingerd/

Even comes with ./configure for easy installation.

Felix

--
Fire, water and government know nothing of mercy.
        --Albanian Proverb