[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PROPOSAL: Cluster 24 - FINGER (6 candidates)



The following candidates all deal with bugs in the finger service.  If
running finger is not a vulnerability, what if finger has a bug?  If
the bug causes a denial of service or other problem outside the scope
of finger itself, then that's a CVE vulnerability based on other
portions of the definition.

But what if the bug just releases more user information than it should
have?  In this case, I argue that these are vulnerabilities, since the
finger application in question does *not* work as intended.

- Steve



Summary of votes to use (in ascending order of "severity"):

ACCEPT - member accepts the candidate as proposed
NOOP - member has no opinion on the candidate
MODIFY - member wants to change some minor detail (e.g. reference/description)
REVIEWING - member is reviewing/researching the candidate
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

Please write your vote on the line that starts with "VOTE: ".  If you
want to add comments or details, add them to lines after the VOTE: line.


=================================
Candidate: CAN-1999-0105
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF

finger allows recursive searches by using a long string of @ symbols.

VOTE:

=================================
Candidate: CAN-1999-0106
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF

Finger redirection allows finger bombs.

VOTE:

=================================
Candidate: CAN-1999-0197
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF

finger 0@host on some systems may print information on some user accounts.

VOTE:

=================================
Candidate: CAN-1999-0198
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF

finger .@host on some systems may print information on some user accounts.

VOTE:

=================================
Candidate: CAN-1999-0259
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF

cfingerd lists all users on a system via search.**@target.

VOTE:

=================================
Candidate: CAN-1999-0492
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Apr23,1999

The ffingerd 1.19 allows remote attackers to identify users on the
target system based on its responses.

VOTE:

 
Page Last Updated: May 22, 2007