Confirmed. As it is, I don't think Webshots offers much in the way of
securing a user's desktop even though it has the password protection
feature. But it is just that, a screensaver, which just display pretty
images.
I think what Brian is trying to say here is if you want to lock your
desktop, use Windows' Ctrl+Alt+Del function instead.
Ian
----- Original Message -----
From: "Brian Carpenter" <brian.carpenter (at) wosc (dot) edu [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Friday, December 13, 2002 5:33 AM
Subject: Password Hole Found In Webshots
> I have descovered a hole in the webshots screensave program. On either
> a Win2K or xp machine that has it installed you can bypass the password
> on the screen saver by pressing Ctrl+Alt+Del wich brings up the Windows
> box that contains logout lockcomputer shutdown ect: Then you will hit
> cancel and boom you are at the desktop with all the permisions the
> previous user had. If you have windows password locking the screen saver
> you are able to Ctrl+Alt+Del and then go to taskmanger and end the
> screen saver thus bringing you back to the desktop.
>
> This works with both webshots password set up and the windows password
> setup on the computer. As long as webshots is used the hole is there.
>
>
>
>
>
securing a user's desktop even though it has the password protection
feature. But it is just that, a screensaver, which just display pretty
images.
I think what Brian is trying to say here is if you want to lock your
desktop, use Windows' Ctrl+Alt+Del function instead.
Ian
----- Original Message -----
From: "Brian Carpenter" <brian.carpenter (at) wosc (dot) edu [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Friday, December 13, 2002 5:33 AM
Subject: Password Hole Found In Webshots
> I have descovered a hole in the webshots screensave program. On either
> a Win2K or xp machine that has it installed you can bypass the password
> on the screen saver by pressing Ctrl+Alt+Del wich brings up the Windows
> box that contains logout lockcomputer shutdown ect: Then you will hit
> cancel and boom you are at the desktop with all the permisions the
> previous user had. If you have windows password locking the screen saver
> you are able to Ctrl+Alt+Del and then go to taskmanger and end the
> screen saver thus bringing you back to the desktop.
>
> This works with both webshots password set up and the windows password
> setup on the computer. As long as webshots is used the hole is there.
>
>
>
>
>
[ reply ]