Date: Fri, 6 Oct 2000 18:34:56 -0700 From: Alfred Perlstein <bright@wintelcom.net> To: Matt Rudderham <matt@researcher.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Finger Daemon Security Message-ID: <20001006183456.K272@fw.wintelcom.net> In-Reply-To: <NDBBLEKOOLGIBFPGLFEKAEKICEAA.matt@researcher.com>; from matt@researcher.com on Fri, Oct 06, 2000 at 10:19:36PM -0300 References: <NDBBLEKOOLGIBFPGLFEKAEKICEAA.matt@researcher.com>
next in thread | previous in thread | raw e-mail | index | archive | help
* Matt Rudderham <matt@researcher.com> [001006 18:21] wrote: > Hi All, > I've read a lot of things about hackers using buffer overflows and the like > to exploit the finger daemon, although whenever I see any details of it, it > always appears to be older versions. I was wonder what the general concensus > is around here on whether or not finger recent FreeBSD versions(3.x+) are > inherently evil:) It is inherently evil, there's really no use, if a domain allows finger info then it most likely allows http://whatever.com/~username, http can provide more info and therefore finger is practically useless except as a means to leak priveledged information such as other hosts the user has logging in from leaving a nifty breadcrumb trail for hackers to compromise/attack other hosts the user uses. Don't weigh cuteness over security, security is always more important. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001006183456.K272>