|
|
| CVE-ID | ||
|---|---|---|
CVE-1999-0492 |
• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
|
|
| Description | ||
| The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses. | ||
| References | ||
| Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete. | ||
|
||
| Assigning CNA | ||
| MITRE Corporation | ||
| Date Record Created | ||
| 19990607 | Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. | |
| Phase (Legacy) | ||
| Proposed (19990726) | ||
| Votes (Legacy) | ||
| ACCEPT(3) Armstrong, Collins, Northcutt MODIFY(4) Baker, Blake, Frech, Shostack NOOP(4) Christey, Cole, Landfield, Wall REVIEWING(1) Ozancin |
||
| Comments (Legacy) | ||
Shostack> isn't that what finger is supposed to do? Landfield> Maybe we need a new category of "unsafe system utilities and protocols" Blake> Ffingerd 1.19 allows remote attackers to differentiate valid and invalid usernames on the target system based on its responses to finger queries. Christey> CHANGEREF BUGTRAQ [canonicalize] BUGTRAQ:19990423 Ffingerd privacy issues http://marc.theaimsgroup.com/?l=bugtraq&m=92488772121313&w=2 Here's the nature of the problem. (1) FFingerd allows users to decide not to be fingered, printing a message "That user does not want to be fingered" (2) If the fingered user does not exist, then FFingerd's intended default is to print that the user does not want to be fingered; however, the error message has a period at the end. Thus, ffingerd can allow someone to determine who valid users on the server are, *in spite of* the intended functionality of ffingerd itself. Thus this exposure should be viewed in light of the intended functionality of the application, as opposed to the common usage of the finger protocol in general. Also, the vendor posted a followup and said that a patch was available. See: http://marc.theaimsgroup.com/?l=bugtraq&m=92489375428016&w=2 Baker> Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/13422 Misc Defensive Info CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:ffinger-user-info(5393) |
||
| Proposed (Legacy) | ||
| 19990726 | ||
| This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities. | ||
|
You can also search by reference using the CVE Reference Maps.
|
||
| For More Information: CVE Request Web Form (select "Other" from dropdown) | ||