From owner-freebsd-questions Fri Oct 6 18:34:59 2000 Delivered-To: freebsd-questions@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id AF98737B503 for ; Fri, 6 Oct 2000 18:34:57 -0700 (PDT) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id e971Yub05726; Fri, 6 Oct 2000 18:34:56 -0700 (PDT) Date: Fri, 6 Oct 2000 18:34:56 -0700 From: Alfred Perlstein To: Matt Rudderham Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Finger Daemon Security Message-ID: <20001006183456.K272@fw.wintelcom.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from matt@researcher.com on Fri, Oct 06, 2000 at 10:19:36PM -0300 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG * Matt Rudderham [001006 18:21] wrote: > Hi All, > I've read a lot of things about hackers using buffer overflows and the like > to exploit the finger daemon, although whenever I see any details of it, it > always appears to be older versions. I was wonder what the general concensus > is around here on whether or not finger recent FreeBSD versions(3.x+) are > inherently evil:) It is inherently evil, there's really no use, if a domain allows finger info then it most likely allows http://whatever.com/~username, http can provide more info and therefore finger is practically useless except as a means to leak priveledged information such as other hosts the user has logging in from leaving a nifty breadcrumb trail for hackers to compromise/attack other hosts the user uses. Don't weigh cuteness over security, security is always more important. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message