Undoing Novell's GINA

From: Nick Staff (nstaff@ANGELSIN.COM)
Date: 10/14/02

Previous message: Russ: "Re: Problems applying MS02-058"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Sun, 13 Oct 2002 21:28:43 -0700
From: Nick Staff <nstaff@ANGELSIN.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

After installing Novell's client for Windows 2000/NT 4.0 v4.82 the UNDO
feature (Ctrl+Z) becomes enabled in the password field of the login
prompt. This means that if a user types in their password and then
deletes it because they decide not to log on it can be undeleted by
pressing Ctrl+Z.

This is only the case when using the Novell supplied GINA and is fixed
by reverting back to Microsoft's.

Below are the steps to reproduce:

Steps to reproduce:
- stall Novell's client on Windows 2000 and reboot
- If prompted, at the logon screen press Ctrl+Alt+Del
- Type something in the password field and then delete it (use
backspace, the delete key, highlight and delete, any way you'd like)
- Hold down the Ctrl key and press Z once
- Password comes back

Yeah nobody may ever exploit this, I agree, but it's a dumb
vulnerability to have because it's not serving any purpose except to
make security weaker.

Thanks,

Nick

Previous message: Russ: "Re: Problems applying MS02-058"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Hiding part of a TEdit
... I'm looking for a way to hide a part of a field, like password field. ... I have a client ID and I need to ... display only a part of the ID, the last 3 digits. ... the current user doesn't have enough privilege to see the entire ID) ...
(comp.lang.pascal.delphi.misc)
Re: Hiding part of a TEdit
... I'm looking for a way to hide a part of a field, like password field. ... I have a client ID and I need to ... the current user doesn't have enough privilege to see the entire ID) ... and the remaining characters in the second (set MaxLength ...
(comp.lang.pascal.delphi.misc)
Hiding part of a TEdit
... I'm looking for a way to hide a part of a field, like password field. ... I have a client ID and I need to ... display only a part of the ID, the last 3 digits. ... the current user doesn't have enough privilege to see the entire ID) ...
(comp.lang.pascal.delphi.misc)
RE: Sharepoint prompts for login credentials when not necessary
... \par Based on my experience, if this issue occurs on all the client, you need to check the Authentication Settings: ... \par Also, add the SharePoint site to your IE trusted zone, and make sure the "Automatic logon with current user name and password" is selected under User Authentication section in the Trusted Sites Security Settings. ... \par You are prompted to enter your credentials when you access an FQDN site by using a Windows Vista-based client computer that has no proxy configured ... \par login prompt and I can get in/open the document or do whatever I was doing. ...
(microsoft.public.sharepoint.windowsservices)
Re: Admin Acct IS NOT in User Accts
... Shenan Stanley wrote: ... username as "administrator" and the password as either whatever you ... used to utilize *or* leave the password field blank if you did not ... There is important information there dependent on the version of Windows XP ...
(microsoft.public.windowsxp.security_admin)