CVE-ID

CVE-1999-0492

• Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
Description
The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
  • BUGTRAQ:Apr23,1999
Date Entry Created
19990607 Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Proposed (19990726)
Votes (Legacy)
ACCEPT(3) Armstrong, Collins, Northcutt
MODIFY(4) Baker, Blake, Frech, Shostack
NOOP(4) Christey, Cole, Landfield, Wall
REVIEWING(1) Ozancin
Comments (Legacy)
 Shostack> isn't that what finger is supposed to do?
 Landfield> Maybe we need a new category of "unsafe system utilities and protocols"
 Blake> Ffingerd 1.19 allows remote attackers to differentiate valid and invalid
   usernames on the target system based on its responses to finger queries.
 Christey> CHANGEREF BUGTRAQ [canonicalize]
   BUGTRAQ:19990423 Ffingerd privacy issues
   http://marc.theaimsgroup.com/?l=bugtraq&m=92488772121313&w=2
   
   Here's the nature of the problem.
   (1) FFingerd allows users to decide not to be fingered,
   printing a message "That user does not want to be fingered"
   (2) If the fingered user does not exist, then FFingerd's
   intended default is to print that the user does not
   want to be fingered; however, the error message has a
   period at the end.
   Thus, ffingerd can allow someone to determine who valid users
   on the server are, *in spite of* the intended functionality of
   ffingerd itself.  Thus this exposure should be viewed in light
   of the intended functionality of the application, as opposed
   to the common usage of the finger protocol in general.
   
   Also, the vendor posted a followup and said that a patch was
   available.  See:
   http://marc.theaimsgroup.com/?l=bugtraq&m=92489375428016&w=2
 Baker> Vulnerability Reference (HTML)	Reference Type
   http://www.securityfocus.com/archive/1/13422	Misc Defensive Info
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:ffinger-user-info(5393)

Proposed (Legacy)
19990726
This is an entry on the CVE list, which standardizes names for security problems.