Re: Undoing Novell's GINA (and mt last post)
From: Nick Staff (nstaff@ANGELSIN.COM)Date: 10/19/02
- Previous message: Bronek Kozicki: "Re: Alert: Microsoft Security Bulletin - MS02-061"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 19 Oct 2002 00:20:40 -0700 From: Nick Staff <nstaff@ANGELSIN.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I don't know what I thought I did, but I was wrong about this being
fixed by Microsoft's GINA, it's present in Windows 2000 and the latest
build of .net Enterprise Server.
Thanks,
Nick Staff
-----Original Message-----
From: Nick Staff
Sent: Sunday, October 13, 2002 9:29 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Undoing Novell's GINA
After installing Novell's client for Windows 2000/NT 4.0 v4.82 the UNDO
feature (Ctrl+Z) becomes enabled in the password field of the login
prompt. This means that if a user types in their password and then
deletes it because they decide not to log on it can be undeleted by
pressing Ctrl+Z.
This is only the case when using the Novell supplied GINA and is fixed
by reverting back to Microsoft's.
Below are the steps to reproduce:
Steps to reproduce:
- stall Novell's client on Windows 2000 and reboot
- If prompted, at the logon screen press Ctrl+Alt+Del
- Type something in the password field and then delete it (use
backspace, the delete key, highlight and delete, any way you'd like)
- Hold down the Ctrl key and press Z once
- Password comes back
Yeah nobody may ever exploit this, I agree, but it's a dumb
vulnerability to have because it's not serving any purpose except to
make security weaker.
Thanks,
Nick
- Previous message: Bronek Kozicki: "Re: Alert: Microsoft Security Bulletin - MS02-061"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
