Bugtraq mailing list archives
Re: Sun CDE 1.0.1: login bug
From: Doug.Hughes () ENG AUBURN EDU (Doug Hughes)
Date: Tue, 29 Jul 1997 08:14:20 -0500
Hello, I apologize if my discovery is old news, yet I thought it important to share and find out if this is being worked on by Sun. The problem is that CDE (Common Desktop Environment) seems to accept logins with usernames which have spaces prepended to them. I am not sure if this is the case with other window managers since I did not test this with other then CDE.
What you describe doesn't seem to be much different than pre-CDE. People can login with spaces with xdm on Solaris2 as well, but it's more of a nuisance here than anything else (because they can't run mailtool, and filemgr breaks, and other things break.) So far there have been no associated security risks. The user still has the same uid. His account is somewhat broken though, which is inconvenient. We've had to add an entry to our local FAQ about it. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug () eng auburn edu
Current thread:
- new post SP3 hotfix: lm-fix, (continued)
- new post SP3 hotfix: lm-fix Alex Libenson (Jul 12)
- Minor PGP vulnerability Harald Weidner (Jul 15)
- GetAdmin - Hotfix silent release ? Olivier Gerschel (Jul 16)
- Re: Minor PGP vulnerability Lucky Green (Jul 16)
- CERT Advisory CA-97.21 - SGI Buffer Overflow Vulnerabilities Aleph One (Jul 17)
- slight misinformation in CA-97.21 Dave Kormann (Jul 17)
- msg00234.html brush () SEARCH POL PL (Jul 17)
- CERT Vendor-Initiated Bulletin VB-97.05 - Vul in Lynx Temporary Aleph One (Jul 16)
- Sun Security Bulletin #00146 Aleph One (Jul 16)
- Sun CDE 1.0.1: login bug Isaac (Jul 28)
- Re: Sun CDE 1.0.1: login bug Doug Hughes (Jul 29)
- CERT Vendor-Initiated Bulletin VB-97.06 - Vul in Lynx Downloading Aleph One (Jul 16)
- Re: [linux-security] so-called snprintf() in db-1.85.4 (fwd) Joe Zbiciak (Jul 10)
- A New Fragmentation Attack Aleph One (Jul 10)