[28188] in bugtraq
Re: Password Hole Found In Webshots
daemon@ATHENA.MIT.EDU (Ian Nguyen)
Thu Dec 12 22:15:55 2002
Message-ID: <003701c2a230$f4a0bd20$0a00a8c0@pegasus>
From: "Ian Nguyen" <inguyen@netspace.net.au>
To: <Travis.Wilkinson@wosc.edu>, <bugtraq@securityfocus.com>
Date: Fri, 13 Dec 2002 09:50:58 +1100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Confirmed. As it is, I don't think Webshots offers much in the way of
securing a user's desktop even though it has the password protection
feature. But it is just that, a screensaver, which just display pretty
images.
I think what Brian is trying to say here is if you want to lock your
desktop, use Windows' Ctrl+Alt+Del function instead.
Ian
----- Original Message -----
From: "Brian Carpenter" <brian.carpenter@wosc.edu>
To: <bugtraq@securityfocus.com>
Sent: Friday, December 13, 2002 5:33 AM
Subject: Password Hole Found In Webshots
> I have descovered a hole in the webshots screensave program. On either
> a Win2K or xp machine that has it installed you can bypass the password
> on the screen saver by pressing Ctrl+Alt+Del wich brings up the Windows
> box that contains logout lockcomputer shutdown ect: Then you will hit
> cancel and boom you are at the desktop with all the permisions the
> previous user had. If you have windows password locking the screen saver
> you are able to Ctrl+Alt+Del and then go to taskmanger and end the
> screen saver thus bringing you back to the desktop.
>
> This works with both webshots password set up and the windows password
> setup on the computer. As long as webshots is used the hole is there.
>
>
>
>
>
