| VID |
15001 |
| Severity |
30 |
| Port |
79 |
| Protocol |
TCP |
| Class |
FINGER |
| Detailed Description |
There is a bug in the remote cfinger daemon which allows anyone to get the lists of the users of this system, when
issuing the command :
finger search.**@victim
This information has a lot of interest for the crackers, because now that they know the user names list, they just have to brute force their password via another service (telnet,ftp...), they will
be in.
* References:
http://archives.neohapsis.com/archives/bugtraq/1997_2/0328.html |
| Recommendation |
Use another finger daemon or Disable the finger service(Comment out the "finger" line in /etc/inetd.conf and revoke the inetd daemon).
*Solaris 10, Solaris 11:
# svcadm disable svc:/network/finger:default
*Enterprise Linux 6.4, CentOS 6.4, Fedora 19:
Open /etc/xinetd.d/finger and set disable=yes
and then restart xinetd |
| Related URL |
CVE-1999-0259 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
1811 (ISS) |
|
