ADMIN$ share remotely. However, the target user does need to have this
privilege level in order for the attacker to exploit the vulnerability.
For example: if the target user only has regular user privileges, an
attacker can access the file shares that user has access to. Also,
exploiting the vulnerabiliy and the level of access obtained are two
different things.
This is just a proof-of-concept exploit, it can be improved and optimized.
Next are all the previously mentioned files part of the proof-of-concept
#####################################################################################
===============
1) Introduction
===============
Sick of junk email? Bored of all email programs looking the same? Take a look at Eureka Email and see how different things could be...
Eureka Email has a built in junk email filter which can remove about 95% of your spam and it continually learns as it comes across new junk emails. You can customise the program so each of your friends has their own icon and sound for when they send you an email. You can also set up special accounts for your children so that they never get to see sexually explicit or offensive junk emails.
(from Eureka Mail website)
#####################################################################################
Regarding SSO - not at all. Not even remotely. It's not about
"wrappers frameworks put around cookies".
Spend some time on *.yahoo* and *.google* and their partner sites, and
look at how they use both auth and personalization cookies (two
different things).
For the former there is no way to solve usefully with Digest without
implementing some persistent unified tracking mechanism of the likes
Digest Auth does not provide today, or implementing some massive OoB
auth-sharing mechanism like SAML, or combining with something like
standardized with few guarantees. Everything else is what you make of
it: frameworks and protocols that use this primitive as they see fit.
> Spend some time on *.yahoo* and *.google* and their partner sites, and
> look at how they use both auth and personalization cookies (two
> different things).
Whatever google and yahoo and social-networking-site-fad-of-the-month
are doing doesn't really matter to most web developers and
applications. Let them keep their cookies. Most applications will be
better off with a standardized authentication protocol.
