• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

XScreenSaver Local Password Disclosure Vulnerability

XScreenSaver is prone to a local password-disclosure vulnerability. This issue is due to a flaw in the application that may result in the screen-unlock password being passed onto other applications that are already running on the computer.

This may disclose the password used to unlock the applications. The login password is typically used to unlock XScreenSaver, so this issue may reveal login passwords to attackers.

This issue is currently known to affect users who are running RDesktop on the locked computer, due to the interaction between the applications. This may result in the disclosure of the login password across the network. Other unknown applications in conjunction with XScreenSaver may result in a similar issue.

Version 4.14 and 4.16 are vulnerable to this issue; other versions may also be affected.