Confirmed. As it is, I don't think Webshots offers much in the way of securing a user's desktop even though it has the password protection feature. But it is just that, a screensaver, which just display pretty images. I think what Brian is trying to say here is if you want to lock your desktop, use Windows' Ctrl+Alt+Del function instead. Ian ----- Original Message ----- From: "Brian Carpenter" <brian.carpenter@wosc.edu> To: <bugtraq@securityfocus.com> Sent: Friday, December 13, 2002 5:33 AM Subject: Password Hole Found In Webshots > I have descovered a hole in the webshots screensave program. On either > a Win2K or xp machine that has it installed you can bypass the password > on the screen saver by pressing Ctrl+Alt+Del wich brings up the Windows > box that contains logout lockcomputer shutdown ect: Then you will hit > cancel and boom you are at the desktop with all the permisions the > previous user had. If you have windows password locking the screen saver > you are able to Ctrl+Alt+Del and then go to taskmanger and end the > screen saver thus bringing you back to the desktop. > > This works with both webshots password set up and the windows password > setup on the computer. As long as webshots is used the hole is there. > > > > >
