CVE
- Id
- 490
- CVE No.
- CVE-1999-0492
- Status
- Candidate
- Description
- The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses.
- Phase
- Proposed (19990726)
- Votes
- ACCEPT(3) Armstrong, Collins, Northcutt | MODIFY(4) Baker, Blake, Frech, Shostack | NOOP(4) Christey, Cole, Landfield, Wall | REVIEWING(1) Ozancin
- Comments
- Shostack> isn"t that what finger is supposed to do? | Landfield> Maybe we need a new category of "unsafe system utilities and protocols" | Blake> Ffingerd 1.19 allows remote attackers to differentiate valid and invalid | usernames on the target system based on its responses to finger queries. | Christey> CHANGEREF BUGTRAQ [canonicalize] | BUGTRAQ:19990423 Ffingerd privacy issues | http://marc.theaimsgroup.com/?l=bugtraq&m=92488772121313&w=2 | | Here"s the nature of the problem. | (1) FFingerd allows users to decide not to be fingered, | printing a message "That user does not want to be fingered" | (2) If the fingered user does not exist, then FFingerd"s | intended default is to print that the user does not | want to be fingered; however, the error message has a | period at the end. | Thus, ffingerd can allow someone to determine who valid users | on the server are, *in spite of* the intended functionality of | ffingerd itself. Thus this exposure should be viewed in light | of the intended functionality of the application, as opposed | to the common usage of the finger protocol in general. | | Also, the vendor posted a followup and said that a patch was | available. See: | http://marc.theaimsgroup.com/?l=bugtraq&m=92489375428016&w=2 | Baker> Vulnerability Reference (HTML) Reference Type | http://www.securityfocus.com/archive/1/13422 Misc Defensive Info | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:ffinger-user-info(5393)
