On Thu May 16 21:37:38 1996 Ed Arnold wrote: >>andy@fred.net said: > >> Just messing around I picked up a couple "logic flaws" with sun 4.1.4 >> fingerd. This may happen on 4.1.X, but I haven't tested, and I am not >> motivated enough to check :> >> >> I know I have seen it written up someplace about the flaw when >> finger 0@XXX.com is done. (It shows a finger output on every user, which >> as we know, can be a very useful tool to those with bad intentions) >> >> Thus, we just added a user 0 (zero). Problem fixed. >> >> Anyway, I have found that fingering .@XXX.com also yeilds the same result. > >just fyi, in case you hadn't tried it ... tcpd does a nice job of >stopping this nonsense. We use tcpd (tcp-wrappers) to block outside finger connections on a machine, but I tested it by going to a machine that didn't have wrappers installed and was able to use the above concatenation (user@hidden@free.machine) to look at the users online. So I still have to modify the source for the fingers on any machine that won't run wrappers (like IRIX). ------------------------------------------------------------------------------ Patrick Ferguson - Systems Administrator patrick@dmv.com DelMarVa OnLine! - Salisbury, MD -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQBNAzGBrOQAAAECALpR8GMUAXnKbr9LeXVv18Q8y/n1NM1+YS8ffP/5HvM0gyso F1T9+gcGvb3L2nFwj+wnig0UQY93vXqhXPoFN4UABRG0IlBhdHJpY2sgRmVyZ3Vz b24gPHBhdHJpY2tAZG12LmNvbT4= =AgnQ -----END PGP PUBLIC KEY BLOCK-----