From unknown Sat May 16 09:05:54 2026
X-Loop: owner@bugs.x2go.org
Subject: Bug#287: x2goserver allows to connect to ALL X server sessions by default
Reply-To: David Fuhrmann <fuhrmann_mail@web.de>, 287@bugs.x2go.org
Resent-From: David Fuhrmann <fuhrmann_mail@web.de>
Original-Sender: David Fuhrmann <david.fuhrmann@gmail.com>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Wed, 07 Aug 2013 05:48:02 +0000
Resent-Message-ID: <handler.287.B.13758537825033@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: report 287
X-X2Go-PR-Package: x2goserver
X-X2Go-PR-Keywords: 
Received: via spool by submit@bugs.x2go.org id=B.13758537825033
          (code B); Wed, 07 Aug 2013 05:48:02 +0000
Received: (at submit) by bugs.x2go.org; 7 Aug 2013 05:36:22 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM,T_DKIM_INVALID
	autolearn=ham version=3.3.2
Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54])
	by ymir (Postfix) with ESMTPS id 0F6AD5DB1E
	for <submit@bugs.x2go.org>; Wed,  7 Aug 2013 07:36:22 +0200 (CEST)
Received: by mail-ee0-f54.google.com with SMTP id e53so189693eek.13
        for <submit@bugs.x2go.org>; Tue, 06 Aug 2013 22:36:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=sender:from:content-type:content-transfer-encoding:subject
         :message-id:date:to:mime-version;
        bh=zeUpRT6yKgCiFt/96I8NkQjenVsIN/iTXhafYo3Gh8Q=;
        b=bwlgaL681CYaCondUtqS3sGJlqA/TUu/1DlP9NCpaMRUrQU7uvQj5FexgkjPGjkgDE
         syXhi9870xzqLN/k7M2qdThcnttoY8WnAObgD1caRH6u7IRrjeL9OrtMfVBE0AvoJ69E
         EnQVHqDUUuCEUE6w0eKHqDa6HTcufqkdhVisKz35sllgfsQEtL0EIwxtTWIiBFQHYzpM
         g+8Lcm+Jo0aBxN4vJ7JzcN7dVh7ie6VeaL9HW2DHxpMH2MZ/edb5MRLW9vQ7M2fK66Qn
         Ul8lY+fa68/LDkq3dQhsa54SerJ3qHCQ4QsRVTJ80ejJYgsVf/hQrmLxj6iPXyCME624
         adRQ==
X-Received: by 10.14.218.5 with SMTP id j5mr1284725eep.134.1375853781759;
        Tue, 06 Aug 2013 22:36:21 -0700 (PDT)
Received: from [192.168.0.20] (erft-4d07d423.pool.mediaWays.net. [77.7.212.35])
        by mx.google.com with ESMTPSA id t6sm6656149eel.12.2013.08.06.22.36.20
        for <submit@bugs.x2go.org>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Tue, 06 Aug 2013 22:36:20 -0700 (PDT)
Sender: David Fuhrmann <david.fuhrmann@gmail.com>
From: David Fuhrmann <fuhrmann_mail@web.de>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <F7C30D2B-5461-457E-8088-7A0933A86EEF@web.de>
Date: Wed, 7 Aug 2013 07:36:18 +0200
To: submit@bugs.x2go.org
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
X-Mailer: Apple Mail (2.1508)

Package: x2goserver
Version: 4.0.1.6
Severity: critical

Hi,

I just noticed that x2goserver allows to connect to ALL running X =
sessions on the target machine, using "connect to local desktop". These =
might be logged in local users, or NX sessions which were not terminated =
correctly. This is especially worse in the latter case, as the screen is =
not locked here, normally.

This is a HUGE security leak, as now all users are able to access data =
of the other users, and hinder them from working by manipulating current =
sessions.

Normal remote desktop software should BLOCK such access by default, and =
only allow it when the user explicitly requested it or configured it so.