LM_NET: Library Media Networking
- Subject: Re: browsing to the root? Breaching network security
- From: "James W. Neal" <jwnlpsd@PRIMENET.COM>
- Date: Sat, 21 Feb 1998 13:19:07 -0600
We have discovered that once anyone opens Internet Explorer (3.02 for
Windows)
they can type in the path and name of any file on the local computer in the
address box, press "Enter" and run the file.
Anyone else find that interesting?
Jim
The object of teaching a child is to enable the child to get along without
the teacher.
Jim Neal
Library Media Specialist/District Grant Writer
http://parkhill.k12.mo.us/hs/media/media_center.htm
nealj@parkhill.k12.mo.us
Park Hill High School
7701 NW Barry Rd
Kansas City, MO 64153
http://www.primenet.com/~jwnlpsd
Webmaster: LM_NET On the Web
http://ericir.syr.edu/lm_net/
-----Original Message-----
From: Susan Oates <oates@CYBERCOMM.NET>
To: LM_NET@LISTSERV.SYR.EDU <LM_NET@LISTSERV.SYR.EDU>
Date: Thursday, February 19, 1998 7:59 PM
Subject: Re: browsing to the root? Breaching network security
>I've spoken about this issue with my son, who is very
>computer-knowledgeable and programmed our Internet login system. It turns
>out that our Novell network isn't using any security because, until
>Netscape, our software setup (CD-ROMs and the library catalog) didn't
>really require it. The use of Netscape v. 3.01, which was designed for
>home use not networks, has introduced the situations we face now. My son
>reminded me that each of our workstations has its own username and pretty
>much requires all privileges to perform the functions required by the
>CD-ROMs. These workstations are logged in to the server every morning.
>This explains why that student was able to access the server, all files
>therein, and manipulate them.
>
>This week, a student reformatted the hard drive on one of our PC
>workstations. My son has since figured out that this student was able to
>do this using Netscape and its helper application option.
>
>>From Robert A. Nielsen <NielsenR@ten-nash.ten.k12.tn.us>:
>>I tried the students steps again today at two other locations. Each time
>>>I found the same result. It does give access to the DOS prompt, but the
>>>only access allowed on the server was that which the student would
>>have had anyway (I don't disable DOS access). They could see their home
>>directory on the server, the public directory, the mail directory, and a
>>couple of assorted shared directories. But, they couldn't access teacher
>>directories, administrative information, or system files.
>>
>>So, it almost sounds like the original password that you are giving
>>the machine (at startup) is associated with a username which has more
>>privileges than a student should. We have generic usernames for the
>>student which gets them on the server, but restricts access.
>
>
>>From Murad Raheem <MRaheem@ecfs.org>:
>>Your e-mail was forwarded to my by one of our Librarians. I have a
>>question regarding the access violation. If you exit netscape and get
>>to a normal dos prompt can students browse the network? -->>> Yes.
>>I tried the method outlined and was unable to access locked folders. Any
>>>info you have would be very helpful. -->>> See the first two paragraphs.
>
>Susan Oates <oates@cybercomm.net>
>
> Educational Media Specialist, Marlboro High School, New Jersey, USA
> The Marlboro High School Home Page <http://www.cybercomm.net/~marlboro/>
>
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>To quit LM_NET (or set NOMAIL or DIGEST), Send an email message to
>listserv@listserv.syr.edu In the message write EITHER
>1) SIGNOFF LM_NET 2) SET LM_NET NOMAIL or 3) SET LM_NET DIGEST
> NOTE: Please allow time for confirmation from Listserv.
>For more help see LM_NET On The Web: http://ericir.syr.edu/lm_net/
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
To quit LM_NET (or set NOMAIL or DIGEST), Send an email message to
listserv@listserv.syr.edu In the message write EITHER
1) SIGNOFF LM_NET 2) SET LM_NET NOMAIL or 3) SET LM_NET DIGEST
NOTE: Please allow time for confirmation from Listserv.
For more help see LM_NET On The Web: http://ericir.syr.edu/lm_net/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
LM_NET
Archive Home