cfingerd vulnerability

Rodrigo Barbosa (rodrigob@MORCEGO.LINKWAY.COM.BR)
Fri, 23 May 1997 22:45:04 -0300

Hello,
i don't know if it has been noticed before, but cfingerd installs,
by default, a search service. You can use it as:

finger search.username@host

Thats ok, but you can use keymasks. And if you do:

finger search.*@host

you can get a list of all the users in the system.

I've tried it if cfinger 1.2.2 (probably it is not the latest version).

--
Rodrigo Barbosa       (Personal e-mail: rodrigob@darkover.org )
Network Administrator (Work e-mail    : rodrigob@morcego.linkway.com.br )
PGP Key,HomePage address etc: finger rodrigob@morcego.linkway.com.br
PGP Fingerprint: [ D9 15 02 9E 72 32 5A 0A  AC F0 DA 11 6A 4C A3 12 ]
   --> Except where explicitly stated I speak on my own behalf. <--