From owner-freebsd-bugs  Wed Oct 18 12:23:30 1995
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id MAA18031
          for bugs-outgoing; Wed, 18 Oct 1995 12:23:30 -0700
Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93])
          by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id MAA18021
          for <freebsd-bugs@freebsd.org>; Wed, 18 Oct 1995 12:23:23 -0700
Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <17842(5)>; Wed, 18 Oct 1995 11:42:33 PDT
Received: from localhost by crevenia.parc.xerox.com with SMTP id <177487>; Wed, 18 Oct 1995 11:40:06 -0700
X-Mailer: exmh version 1.6.1 5/23/95
To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch)
cc: dv@xkis.nnov.su (Dmitry Valdov), freebsd-bugs@freebsd.org
Subject: Re: secure finger is not enought secure 
In-reply-to: Your message of "Sat, 14 Oct 95 10:56:45 PDT."
             <199510141756.SAA11380@uriah.heep.sax.de> 
Mime-Version: 1.0
Content-Type: multipart/mixed ;
	boundary="===_0_Wed_Oct_18_11:37:54_PDT_1995"
Date: Wed, 18 Oct 1995 11:39:56 PDT
From: Bill Fenner <fenner@parc.xerox.com>
Message-Id: <95Oct18.114006pdt.177487@crevenia.parc.xerox.com>
Sender: owner-bugs@freebsd.org
Precedence: bulk

This is a multipart MIME message.

--===_0_Wed_Oct_18_11:37:54_PDT_1995
Content-Type: text/plain; charset=us-ascii

In message <199510141756.SAA11380@uriah.heep.sax.de> J"org wrote:
>> merahq: {2} telnet localhost finger
>> Trying 127.0.0.1...
>> Connected to localhost.
>> Escape character is '^]'.
>
>This is an entirely different matter.  It's not the finger service as
>invoked via inetd(8).  If you've already got access to the local
>machine, it doesn't make sense if you couldn't run finger locally.

It is indeed the finger service as invoked via inetd, and although it was 
perhaps a bad example, it does indeed work remotely.

In fact, you can pass any options to finger, including getting the normal 
finger output:

crevenia% telnet baobab finger
Trying 13.2.116.113 ...
Connected to baobab.
Escape character is '^]'.
--
Login    Name                 TTY  Idle  Login Time   Office     Office Phone
fenner   Bill Fenner          *v1   13d  Oct  4 13:12
fenner   Bill Fenner           p0   13d  Oct  4 13:14
fenner   Bill Fenner           p1        Oct 10 13:23
root     Charlie Root         *v0   13d  Oct  4 13:11
Connection closed by foreign host.

The attached diff should fix it; this might perhaps want to be in 2.1 (or at 
least documented as insecure!).  It only counts things without leading dashes 
as usernames.

  Bill


--===_0_Wed_Oct_18_11:37:54_PDT_1995
Content-Type: text/plain; charset=us-ascii
Content-Description: fingerd.c.diff

--- fingerd.c.orig	Wed Oct 18 11:32:54 1995
+++ fingerd.c	Wed Oct 18 11:45:16 1995
@@ -67,7 +67,7 @@
 	register char *lp;
 	struct hostent *hp;
 	struct sockaddr_in sin;
-	int p[2], logging, secure, sval;
+	int p[2], logging, secure, sval, gotuser;
 #define	ENTRIES	50
 	char **ap, *av[ENTRIES + 1], **comp, line[1024], *prog;
 
@@ -107,13 +107,10 @@
 		exit(1);
 
 	comp = &av[1];
+	gotuser = 0;
 	for (lp = line, ap = &av[2];;) {
 		*ap = strtok(lp, " \t\r\n");
 		if (!*ap) {
-			if (secure && ap == &av[2]) {
-				puts("must provide username\r\n");
-				exit(1);
-			}
 			break;
 		}
 		if (secure && strchr(*ap, '@')) {
@@ -126,9 +123,17 @@
 			av[1] = "-l";
 			comp = &av[0];
 		}
-		else if (++ap == av + ENTRIES)
-			break;
+		else {
+			if ((*ap)[0] != '-')
+				gotuser++;
+			if (++ap == av + ENTRIES)
+				break;
+		}
 		lp = NULL;
+	}
+	if (secure && !gotuser) {
+		puts("must provide username\r\n");
+		exit(1);
 	}
 
 	if (lp = strrchr(prog, '/'))

--===_0_Wed_Oct_18_11:37:54_PDT_1995--