|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: cvs commit: src/usr.bin/finger finger.c
From: The Unicorn (unicorn
blackhats.org)Date: Tue Oct 03 2000 - 02:30:03 CDT
- Next message: Paul Richards: "Re: cvs commit: src/usr.bin/finger finger.c"
- Previous message: Wes Peters: "Re: sysinstall DOESN'T ASK, dangerous defaults!"
- In reply to: Joseph Scott: "Re: cvs commit: src/usr.bin/finger finger.c"
- Next in thread: Brian Somers: "Re: cvs commit: src/usr.bin/finger finger.c"
- Reply: The Unicorn: "Re: cvs commit: src/usr.bin/finger finger.c"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 02 Oct 2000, Joseph Scott supposedly wrote:
>
> Brian Somers wrote:
> >
> > brian 2000/10/02 15:27:34 PDT
> >
> > Modified files:
> > usr.bin/finger finger.c
> > Log:
> > Don't allow finger /somefile, only allow filname expansions from
> > inside /etc/finger.conf
>
> This is one of those things that makes me go ack! So I started
> trying on a couple of my machines here. I tried it first against my
> own notebook running 4.1. It worked just as expected when run up
> against /etc/passwdlocalhost. It did not work against a 3.4 machine
> from notebook though. I haven't looked to much closer at that part,
> but it seems to point to this "feature" being added somewhere between
> Jan 27 and Sep 14 (about the last world builds for these two
> machines).
I found the following:
[root me]:.../home/unicorn(2435)# finger /etc/passwdlocalhost
[localhost]
finger: /etc/passwd: no such user
[root me]:.../home/unicorn(2436)# uname -a
FreeBSD me.xxx.org 4.0-STABLE FreeBSD 4.0-STABLE #0: Fri Jun 2 02:42:57 CEST 2000
rootme.xxx.org:/usr/src/sys/compile/ME i386
> Another thing I've noticed, it looks like it only works against world
> readable files. So some couldn't do a finger
> /etc/master.passwdgoodguysrus.com and expect something back. There
> are of course plenty of world readable files on a system that I
> wouldn't really want everyone and their fish to look at :-(
>
> I'm not a fan of finger in general, turning off inetd entirely is
> part of a normal install for me.
>
> --
> Joseph Scott
> joseph.scottowp.csus.edu
> The Office Of Water Programs - CSU Sacramento
--- End of Quoted Text ---
Ciao,
Unicorn.
--
======= _ __,;;;/ TimeWaster ================================================
,;( )_, )~\| A Truly Wise Man Never Plays PGP: 64 07 5D 4C 3F 81 22 73
;; // `--; Leapfrog With A Unicorn... 52 9D 87 08 51 AA 35 F0
==='= ;\ = | ==== Youth is Not a Time in Life, It is a State of Mind! =======
Echelon Teasers: NSA CIA FBI Mossad BVD MI5 Cocaine Cuba Revolution Espionage
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Paul Richards: "Re: cvs commit: src/usr.bin/finger finger.c"
- Previous message: Wes Peters: "Re: sysinstall DOESN'T ASK, dangerous defaults!"
- In reply to: Joseph Scott: "Re: cvs commit: src/usr.bin/finger finger.c"
- Next in thread: Brian Somers: "Re: cvs commit: src/usr.bin/finger finger.c"
- Reply: The Unicorn: "Re: cvs commit: src/usr.bin/finger finger.c"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]