fingerd allows third party fingers
Craig Leres
leres at ace.ee.lbl.gov
Thu Dec 15 08:37:40 AEST 1988
Description:
As distributed, fingerd allows third party fingers. This makes
it impossible for sites who wish to syslog remote finger
requests to log original site.
Repeat-By:
Install site logging in fingerd and then do something like:
% finger @arpa at ucbvax
The target finger on arpa will look like it was done from
ucbvax instead of the machine the finger was run on.
Fix:
Don't allow third party fingers. (Obviously, this only keeps
your own systems from helping someone do a third party finger,
but it's a start.)
*** fingerd.c Wed Dec 14 14:07:32 1988
--- fingerd.c.new Wed Dec 14 14:29:23 1988
***************
*** 22,28 ****
#endif /* not lint */
#ifndef lint
! static char sccsid[] = "@(#)fingerd.c 5.4 (Berkeley) 11/23/88";
#endif /* not lint */
#include <stdio.h>
--- 22,28 ----
#endif /* not lint */
#ifndef lint
! static char sccsid[] = "@(#)fingerd.c 5.4++ (Berkeley) 11/23/88";
#endif /* not lint */
#include <stdio.h>
***************
*** 48,53 ****
--- 48,57 ----
if (!fgets(line, sizeof(line), stdin))
exit(1);
+
+ /* Don't allow third party fingers */
+ if (lp = (char *)index(line, '@'))
+ *lp = '\0';
av[0] = "finger";
for (lp = line, ap = &av[1];;) {
More information about the Comp.bugs.4bsd.ucb-fixes
mailing list