From david.fuhrmann@gmail.com Wed Aug 7 07:36:22 2013 Received: (at submit) by bugs.x2go.org; 7 Aug 2013 05:36:22 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM,T_DKIM_INVALID autolearn=ham version=3.3.2 Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by ymir (Postfix) with ESMTPS id 0F6AD5DB1E for ; Wed, 7 Aug 2013 07:36:22 +0200 (CEST) Received: by mail-ee0-f54.google.com with SMTP id e53so189693eek.13 for ; Tue, 06 Aug 2013 22:36:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:content-type:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=zeUpRT6yKgCiFt/96I8NkQjenVsIN/iTXhafYo3Gh8Q=; b=bwlgaL681CYaCondUtqS3sGJlqA/TUu/1DlP9NCpaMRUrQU7uvQj5FexgkjPGjkgDE syXhi9870xzqLN/k7M2qdThcnttoY8WnAObgD1caRH6u7IRrjeL9OrtMfVBE0AvoJ69E EnQVHqDUUuCEUE6w0eKHqDa6HTcufqkdhVisKz35sllgfsQEtL0EIwxtTWIiBFQHYzpM g+8Lcm+Jo0aBxN4vJ7JzcN7dVh7ie6VeaL9HW2DHxpMH2MZ/edb5MRLW9vQ7M2fK66Qn Ul8lY+fa68/LDkq3dQhsa54SerJ3qHCQ4QsRVTJ80ejJYgsVf/hQrmLxj6iPXyCME624 adRQ== X-Received: by 10.14.218.5 with SMTP id j5mr1284725eep.134.1375853781759; Tue, 06 Aug 2013 22:36:21 -0700 (PDT) Received: from [192.168.0.20] (erft-4d07d423.pool.mediaWays.net. [77.7.212.35]) by mx.google.com with ESMTPSA id t6sm6656149eel.12.2013.08.06.22.36.20 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 06 Aug 2013 22:36:20 -0700 (PDT) Sender: David Fuhrmann From: David Fuhrmann Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: x2goserver allows to connect to ALL X server sessions by default Message-Id: Date: Wed, 7 Aug 2013 07:36:18 +0200 To: submit@bugs.x2go.org Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) X-Mailer: Apple Mail (2.1508) Package: x2goserver Version: 4.0.1.6 Severity: critical Hi, I just noticed that x2goserver allows to connect to ALL running X = sessions on the target machine, using "connect to local desktop". These = might be logged in local users, or NX sessions which were not terminated = correctly. This is especially worse in the latter case, as the screen is = not locked here, normally. This is a HUGE security leak, as now all users are able to access data = of the other users, and hinder them from working by manipulating current = sessions. Normal remote desktop software should BLOCK such access by default, and = only allow it when the user explicitly requested it or configured it so.