Package: x2goclient
Version: 4.0.3.2
Tags: build-win32
Severity: grave

Hi all,

I am not sure if this bug is X2Go Client or X2Go Server related,  
because I have no extended access to the site where the below issue  
just occurred.

   Client:
     X2Go Client for Windows (4.0.3.2-20150301)
     on Windows 8.1 64bit

   Server:
     X2Go Server 4.0.1.19
     running on Ubuntu 10.04

Session Type: GNOMEv2 desktop session

The windows machine is hooked into a network, i.e. the Windows's users  
%HOMEDRIVE% is on a server-side share, there are also several other  
network drives available. (as drive letters).

The user (a customer of mine) tried to directly share the "Documents"  
folder with the running X2Go session and then this SSHFS mount  
appeared on the X2Go Server's side:

   ~user/media/disk/_cygdrive_

This "_cygdrive_" folder contained letters (one drive letter per  
available network drive).

 From there on you could browse all drive letters and sub-directories  
available on the client-side MS Windows machine. Thus, exposing all  
sorts of drive letters and their subfolders to the X2Go session.


!!! This must be considered as a severe data security breach. !!!


minor side issue: Furthermore, client-side shared folders hosted on  
network drives appeared in the X2Go session, but were not accessible  
by the user running the X2Go session (marked by a read cross and a  
padlock).

Greets,
Mike



-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb