[12605] in bugtraq
Re: MacOS 9 and the MacOS Netware Client
daemon@ATHENA.MIT.EDU (deepquest@NETSCAPE.NET)
Tue Nov 16 12:42:39 1999
Message-Id: <19991115103821.8799.qmail@securityfocus.com>
Date: Mon, 15 Nov 1999 10:38:21 -0000
Reply-To: deepquest@NETSCAPE.NET
From: deepquest@NETSCAPE.NET
X-To: bugtraq@securityfocus.com
In-Reply-To: <s82ecc1c.041@internet.madriver.k12.oh.us>
MacOS 9 adds the ability to have multiple users on a single Macintosh. When it boots it will (if enabled) ask you to log in.
However, while logged in if you login to NDS, and select "Logout" from the Special menu, you will NOT be logged out of NDS. The tree in the menu bar will stay green, and you are still logged in. Any user can then log back in as themselves and use your login to NDS.
The workaround is simple enough, just make sure you log out of NDS and THEN out of MacOS. An alternative would be to simply restart the Mac instead of logging out.
I tested this on an iMac running MacOS 9 and the ProSoft client (version 5.12). I have not tested it on the Novell client (version 5.11), but since the clients are so similar I would assume the "bug" exists there too. (I don't consider this to be a full-blown bug since we're dealing with a new feature of the OS that didn't exist at the time the client was released. However, given the breathtaking speed that ProSoft moves at...)
--As far as I know this doesn't seems like being an MacOs issue, as described in original post, since NetWare Client 5.12 is not listed as builting feature ( see the inclued softwares or features listed in MacOs 9 http://www.apple.com/macos/pdf/MacOS9_DS-a.pdf) or even bunddled with MacOS 9.
Using any other network ressource via a software (mail client, telnet, ftp etc...) will log you out; during the loggout process an apple event is sent to the applications, and Prosoft netware client doesn't respond to the apple event asking to disconnect the ressouce.It's not MacOS fault but incompability in software to understant the event it's quiet different.New OS creates sometime incompabilities but who has to adapt to the situation: the OS or the application?
There's something I don't get on security focus vulnerabilities database despite all the great job that is done on this site.Why softwares having issues on MacOs are reported under "Apple" and not to the vendor itself? :-(
--->1999-11-14: MacOS9 NDS Client Inherited Login Vulnerability
-->1998-04-14: Microsoft Internet Explorer EMBED Vulnerability
-->1999-07-28: MacOS Internet Config Weak Password Encryption Vulnerability
-->1999-06-15: MS Outlook Express for MacOS "Change Current User" Vulnerability
Ubi solitudinem faciunt, pacem appellant