On Tue, Nov 20, 2001 at 11:23:26PM +0000, vuln-dev wrote: > this weaknesses known to public sector (not disk sector hehehe) so problem > may be fixed in reliable manner. We invent several fuzz testing tool for > remote daemon and we thus are able to stress test application for security. > GOBBLES LABS uses proprietary artificial intelligence tool to aid in > enumeration of remote host banner and then able to identify flaw through new Highly amusing. Really. > program: Berkeley finger.cgi > website: http://www.csua.berkeley.edu/cgi-bin/finger?source First off, this is not the Berkeley fingerd. Period. What this ADVISORY (tadaa) is about is some lame cgi script, and the script looks a lot like the lame old finger.cgi that was shipped with the CERN httpd in the early 90s. Boys, this bug is ancient. It's so old it even stopped smelling bad. This doesn't mean though that whoever currently maintains the script has a lot of security clue either. And no, it's not enough to just exclude newlines either. Think $(...). Think - and @ which can be used in finger -l and finger @. Sigh. Olaf "I want a fuzz tool too" Kirch -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okirat_private | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okirat_private +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.
This archive was generated by hypermail 2b30 : Wed Nov 21 2001 - 08:26:27 PST