IKiosk Security Lapse

Mike Mitchell mdm at nbpl.lib.tx.us
Fri Oct 30 14:22:31 EST 1998 

Windows 95 Policy editor will fix this. You can specify which programs can
be run. All others are disallowed. I tried it just now within this exploit.
The security still works.

Mike Mitchell
Tech Services Librarian/System Administrator
Dittlinger Memorial Library
New Braunfels, TX 
mdm at nbpl.lib.tx.us

At 10:39 AM 10/30/98 -0800, you wrote:
>Try renaming C:\WINDOWS\TASKMAN.EXE to something like TASKMAN.AXE.
>
>Does WinSelect Policy have an option to list programs that shouldn't
>be permitted to run?  That might also be a way to prevent it from 
>running.
>
>Chuck
>:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>Chuck Bearden                                   cbearden at rice.edu
>Electronic Resources Librarian    
>Fondren Library--MS44                        713 / 527-8101 x3634
>Rice University                              713 / 737-5859 (fax)
>P.O. Box 1892
>Houston, TX 77251-1892
>:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>
>On Fri, 30 Oct 1998, jpapier wrote:
>
>> Greetings From Fairest NJ:
>> 
>> I've been using Winselect Policy / Kiosk 3.3.1 on our public Internet
>> PC's to good effect for some
>> time now.  However, our ever-curious teenagers have (unwittingly)
>> brought the following security lapse to my attention:  if you reboot the
>> PC, when Windows 95 (or 98) starts up again you can click repeatedly
>> with the mouse where the "Start" button
>> eventually shows up.  This easily brings up the Task Manager.  From
>> there you can choose "Run Applications."  A default box comes up.  If
>> you ignore this box and  choose "Browse," a new box comes up. You cannot
>> enter a pathname into this browse box, which is as it should be, since
>> access to the hard drive has been turned off. But if instead of choosing
>> the "Browse" option, you stick with the first, default box which
>> appears, you CAN enter a pathname, e.g. "c:\command.com."  And into DOS
>> we go.
>> 
>> I suppose you could also bring in "command.com" on a floppy and upload
>> too, if you allow access to the A: drive.
>> 
>> Thought you should know.  I've brought this to the attention of Hypertec
>> (http://www.hypertec.com).
>> 
>> Cheers,
>> JP
>> 
>> --
>> Jeff Papier
>> Network / Internet Librarian
>> South Brunswick Public Library
>> Monmouth Junction, NJ
>> 
>> 
>
>

More information about the Web4lib mailing list