|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] PROPOSAL: Cluster 24 - FINGER (6 candidates)
The following candidates all deal with bugs in the finger service. If running finger is not a vulnerability, what if finger has a bug? If the bug causes a denial of service or other problem outside the scope of finger itself, then that's a CVE vulnerability based on other portions of the definition. But what if the bug just releases more user information than it should have? In this case, I argue that these are vulnerabilities, since the finger application in question does *not* work as intended. - Steve Summary of votes to use (in ascending order of "severity"): ACCEPT - member accepts the candidate as proposed NOOP - member has no opinion on the candidate MODIFY - member wants to change some minor detail (e.g. reference/description) REVIEWING - member is reviewing/researching the candidate RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. ================================= Candidate: CAN-1999-0105 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990726 Assigned: 19990607 Category: SF finger allows recursive searches by using a long string of @ symbols. VOTE: ================================= Candidate: CAN-1999-0106 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990726 Assigned: 19990607 Category: SF Finger redirection allows finger bombs. VOTE: ================================= Candidate: CAN-1999-0197 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990726 Assigned: 19990607 Category: SF finger 0@host on some systems may print information on some user accounts. VOTE: ================================= Candidate: CAN-1999-0198 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990726 Assigned: 19990607 Category: SF finger .@host on some systems may print information on some user accounts. VOTE: ================================= Candidate: CAN-1999-0259 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990726 Assigned: 19990607 Category: SF cfingerd lists all users on a system via search.**@target. VOTE: ================================= Candidate: CAN-1999-0492 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Apr23,1999 The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses. VOTE:
|
||||
