A vulnerability in Ffingerd version 1.19, the popular remote user-information server, which allows a remote user to determine whether or not a given username exists on the system.
Normally, if a user has declined to be open to finger requests, a finger attempt will elicit this response:
'That user does not want to be fingered'
However, if a remote user attempts to finger a nonexistent username, the attempt will return the default message:
'That user does not want to be fingered.'
The extra '.' at the end of the second message reveals that the message was generated as a result of an attempt to finger a nonexistent user, as opposed to one who simply does not wish to be fingered. As a result, an attacker familiar with the discrepancy between the two failure message strings will be able to test the validity of usernames. Having this information can assist an attacker in carrying other compromises of system security.
ffingerd contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a user creates a .nofinger file in his home directory to prevent finger attempts. This instructs ffingerd to return the message, "The user does not wish to be fingered," without a trailing period. This message is different from the message generated when a user does not exist at all, which does include the trailing period.
Upgrade to version 1.20 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: remove the world execute permissions from your home directory using chmod. See the chmod man page for details.