X2Go Bug report logs - #287
Linux Mint desktops configured too insecurely for multi-user mode

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: David Fuhrmann <fuhrmann_mail@web.de>

Date: Wed, 7 Aug 2013 05:48:02 UTC

Severity: critical

Tags: confirmed, moreinfo, wontfix

Found in version 4.0.1.6

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

Received: (at submit) by bugs.x2go.org; 7 Aug 2013 05:36:22 +0000
From david.fuhrmann@gmail.com  Wed Aug  7 07:36:22 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM,T_DKIM_INVALID
	autolearn=ham version=3.3.2
Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54])
	by ymir (Postfix) with ESMTPS id 0F6AD5DB1E
	for <submit@bugs.x2go.org>; Wed,  7 Aug 2013 07:36:22 +0200 (CEST)
Received: by mail-ee0-f54.google.com with SMTP id e53so189693eek.13
        for <submit@bugs.x2go.org>; Tue, 06 Aug 2013 22:36:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=sender:from:content-type:content-transfer-encoding:subject
         :message-id:date:to:mime-version;
        bh=zeUpRT6yKgCiFt/96I8NkQjenVsIN/iTXhafYo3Gh8Q=;
        b=bwlgaL681CYaCondUtqS3sGJlqA/TUu/1DlP9NCpaMRUrQU7uvQj5FexgkjPGjkgDE
         syXhi9870xzqLN/k7M2qdThcnttoY8WnAObgD1caRH6u7IRrjeL9OrtMfVBE0AvoJ69E
         EnQVHqDUUuCEUE6w0eKHqDa6HTcufqkdhVisKz35sllgfsQEtL0EIwxtTWIiBFQHYzpM
         g+8Lcm+Jo0aBxN4vJ7JzcN7dVh7ie6VeaL9HW2DHxpMH2MZ/edb5MRLW9vQ7M2fK66Qn
         Ul8lY+fa68/LDkq3dQhsa54SerJ3qHCQ4QsRVTJ80ejJYgsVf/hQrmLxj6iPXyCME624
         adRQ==
X-Received: by 10.14.218.5 with SMTP id j5mr1284725eep.134.1375853781759;
        Tue, 06 Aug 2013 22:36:21 -0700 (PDT)
Received: from [192.168.0.20] (erft-4d07d423.pool.mediaWays.net. [77.7.212.35])
        by mx.google.com with ESMTPSA id t6sm6656149eel.12.2013.08.06.22.36.20
        for <submit@bugs.x2go.org>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Tue, 06 Aug 2013 22:36:20 -0700 (PDT)
Sender: David Fuhrmann <david.fuhrmann@gmail.com>
From: David Fuhrmann <fuhrmann_mail@web.de>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Subject: x2goserver allows to connect to ALL X server sessions by default
Message-Id: <F7C30D2B-5461-457E-8088-7A0933A86EEF@web.de>
Date: Wed, 7 Aug 2013 07:36:18 +0200
To: submit@bugs.x2go.org
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
X-Mailer: Apple Mail (2.1508)

Package: x2goserver
Version: 4.0.1.6
Severity: critical

Hi,

I just noticed that x2goserver allows to connect to ALL running X sessions on the target machine, using "connect to local desktop". These might be logged in local users, or NX sessions which were not terminated correctly. This is especially worse in the latter case, as the screen is not locked here, normally.

This is a HUGE security leak, as now all users are able to access data of the other users, and hinder them from working by manipulating current sessions.

Normal remote desktop software should BLOCK such access by default, and only allow it when the user explicitly requested it or configured it so.

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Sat Nov 23 10:09:49 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.