Re: Password Hole Found In Webshots

["Ian Nguyen" <inguyen () netspace net au>]

Confirmed. As it is, I don't think Webshots offers much in the way of
securing a user's desktop even though it has the password protection
feature.  But it is just that, a screensaver, which just display pretty
images.

I think what Brian is trying to say here is if you want to lock your
desktop, use Windows' Ctrl+Alt+Del function instead.

Ian

----- Original Message -----
From: "Brian Carpenter" <brian.carpenter () wosc edu>
To: <bugtraq () securityfocus com>
Sent: Friday, December 13, 2002 5:33 AM
Subject: Password Hole Found In Webshots


> I have descovered a hole in the webshots screensave program. On either
> a Win2K or xp machine that has it installed you can bypass the password
> on the screen saver by pressing Ctrl+Alt+Del wich brings up the Windows
> box that contains logout lockcomputer shutdown ect: Then you will hit
> cancel and boom you are at the desktop with all the permisions the
> previous user had. If you have windows password locking the screen saver
> you are able to  Ctrl+Alt+Del and then go to taskmanger and end the
> screen saver thus bringing you back to the desktop.
>
> This works with both webshots password set up and the windows password
> setup on the computer. As long as webshots is used the hole is there.