From owner-freebsd-security  Mon Jan  1 11:31:10 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id LAA04040
          for security-outgoing; Mon, 1 Jan 1996 11:31:10 -0800 (PST)
Received: from flinch.io.org (flinch.io.org [198.133.36.153])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id LAA04021
          Mon, 1 Jan 1996 11:31:04 -0800 (PST)
Received: (from taob@localhost) by flinch.io.org (8.6.12/8.6.12) id OAA05094; Mon, 1 Jan 1996 14:28:18 -0500
Date: Mon, 1 Jan 1996 14:28:18 -0500 (EST)
From: Brian Tao <taob@io.org>
X-Sender: taob@flinch
To: Dmitry Valdov <dv@xkis.nnov.su>
cc: freebsd-bugs@freebsd.org,
        FREEBSD-SECURITY-L <freebsd-security@freebsd.org>
Subject: Re: secure finger is not enought secure
In-Reply-To: <199510141928.WAA22224@xkis.nnov.su>
Message-ID: <Pine.BSF.3.91.960101142506.646J-100000@flinch>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
Precedence: bulk

On Sat, 14 Oct 1995, Dmitry Valdov wrote:
> 
> ok. Try to telnet <any_freebsd_host> finger_port_number
> after connect, type '-l' (without quotes). And u'll see finger information 
> of all users currently logged in.

    Just to bring this one up again... this behavior is still here
with 2.1.0-RELEASE:

zap% telnet zip finger
Trying 198.133.36.80...
Connected to zip.io.org.
Escape character is '^]'.
-l
Login: bo                               Name: John Ericson
Directory: /u/bo/bo                     Shell: /bin/tcsh
On since Mon Jan  1 14:08 (EST) on ttypk (messages off) from wink
No Mail.
No Plan.
[etc].

    Both zip and zap are 2.1.0-RELEASE systems:

FreeBSD zip.io.org 2.1.0-RELEASE FreeBSD 2.1.0-RELEASE #0: Sat Dec 30 14:19:27 EST 1995     taob@flinch.io.org:/src/2.1.0-RELEASE/sys/compile/ZIP  i386

--
Brian Tao (BT300, taob@io.org)
Systems Administrator, Internex Online Inc.
"Though this be madness, yet there is method in't"