[12871] in bugtraq
Re: gdm thing
daemon@ATHENA.MIT.EDU (Martin K. Petersen)
Tue Dec 7 12:14:17 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <yq1aennx2td.fsf@jaguar.socsci.auc.dk>
Date: Mon, 6 Dec 1999 20:54:38 +0100
Reply-To: "Martin K. Petersen" <mkp@SUNSITE.AUC.DK>
From: "Martin K. Petersen" <mkp@SUNSITE.AUC.DK>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Kermit the Frog's message of "Sun, 5 Dec 1999 23:44:18 -0300"
>>>>> "Kermit" == Kermit the Frog <kermit@TOWER.COM.AR> writes:
Kermit> Hello! while trying this new soft to replace the ``old'' xdm,
Kermit> I found out that if a wrong passwd is supplied, gdm will
Kermit> answer with a ``incorrect password'' message. So I tried to
Kermit> log in as an inexistent user ... the result was "user
Kermit> unknown". The vulnerabilty seems trivial to me.
Kermit> The version tested was gdm-2.0beta4.
You can disable this by setting VerboseAuth=0 in the [Security]
section in gdm.conf.
See the GDM manual for details.
--
Martin Kasper Petersen BOFH, IC1&2, Aalborg University, DK
mailto:mkp@SunSITE.auc.dk http://SunSITE.auc.dk/~mkp/
