From unknown Thu Mar 28 17:14:09 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#819: X2Go Client exposes all (network and local) drives on client-side folder sharing Reply-To: Mike Gabriel , 819@bugs.x2go.org Resent-From: Mike Gabriel Resent-To: x2go-dev@lists.x2go.org Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Mon, 16 Mar 2015 13:15:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: report 819 X-X2Go-PR-Package: x2goclient X-X2Go-PR-Keywords: build-win32 Received: via spool by submit@bugs.x2go.org id=B.14265116125111 (code B); Mon, 16 Mar 2015 13:15:02 +0000 Received: (at submit) by bugs.x2go.org; 16 Mar 2015 13:13:32 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 212F35E188 for ; Mon, 16 Mar 2015 14:13:30 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id C193A10 for ; Mon, 16 Mar 2015 14:13:29 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id A12793BD8D for ; Mon, 16 Mar 2015 14:13:29 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RcYAcSwWZd2A for ; Mon, 16 Mar 2015 14:13:29 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 2A09F3BB21 for ; Mon, 16 Mar 2015 14:13:29 +0100 (CET) Received: from m-097.informatik.uni-kiel.de (m-097.informatik.uni-kiel.de [134.245.254.97]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Mon, 16 Mar 2015 13:13:28 +0000 Date: Mon, 16 Mar 2015 13:13:28 +0000 Message-ID: <20150316131328.Horde.OmAEBtvMbmg3dIKaMec6tw1@mail.das-netzwerkteam.de> From: Mike Gabriel To: submit@bugs.x2go.org User-Agent: Internet Messaging Program (IMP) H5 (6.2.2) Accept-Language: de,en Organization: DAS-NETZWERKTEAM X-Originating-IP: 134.245.254.97 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 Iceweasel/32.0 Content-Type: multipart/signed; boundary="=_XPcxs22AIqzS_aFuGx0New2"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_XPcxs22AIqzS_aFuGx0New2 Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: x2goclient Version: 4.0.3.2 Tags: build-win32 Severity: grave Hi all, I am not sure if this bug is X2Go Client or X2Go Server related,=20=20 because=20I have no extended access to the site where the below issue=20=20 just=20occurred. Client: X2Go Client for Windows (4.0.3.2-20150301) on Windows 8.1 64bit Server: X2Go Server 4.0.1.19 running on Ubuntu 10.04 Session Type: GNOMEv2 desktop session The windows machine is hooked into a network, i.e. the Windows's users=20= =20 %HOMEDRIVE%=20is on a server-side share, there are also several other=20=20 network=20drives available. (as drive letters). The user (a customer of mine) tried to directly share the "Documents"=20=20 folder=20with the running X2Go session and then this SSHFS mount=20=20 appeared=20on the X2Go Server's side: ~user/media/disk/_cygdrive_ This "_cygdrive_" folder contained letters (one drive letter per=20=20 available=20network drive). From there on you could browse all drive letters and sub-directories=20=20 available=20on the client-side MS Windows machine. Thus, exposing all=20=20 sorts=20of drive letters and their subfolders to the X2Go session. !!! This must be considered as a severe data security breach. !!! minor side issue: Furthermore, client-side shared folders hosted on=20=20 network=20drives appeared in the X2Go session, but were not accessible=20= =20 by=20the user running the X2Go session (marked by a read cross and a=20=20 padlock). Greets, Mike --=20 DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x= fb --=_XPcxs22AIqzS_aFuGx0New2 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJVBtb4AAoJEJr0azAldxsxfZwQAKjYUHT5TjFIOW2ZwIAjsPJv zhrQJX1jzAolC1wgodqxOJlbjMozQCFr1mHeXQoOSbfSx+YaZJy5xKpfrrqgrOyh 3LESKoZ2QhIBD9R+T7l6hOaLM2WREPt12r5T2I7se/MG7jh3vUDsKPUtsHkZRExr 6/yK6e9AETNqfsPofy3NSN5d++2J6Uq3J7MhxGZ2axKw77epDfeEnRCFvYjxHb5i WMTwMV1pOLmbB9YTUwDdqX95MLcgfFlFisAlKmlKE2YUdosaVoiEBgHJNynum8s9 oamjLehSgeiRHSJVVkqF4EjyMxZZeVt7lGxHCOngi8OR329lhAigWL4maC8RxHah sgS6sXS4Eh67td1ashJOKj/bAvMbByp3dqryDbAXBCxg4EA8lzR1UepGFZji1USi P4d6TA7bgoaILR6y6dcd0sfN2x/J3jNeF5UA62i47G2oEsFEZw1BpUEHgwWLI5DJ 2k+BFib88gfx8M6tOLM8gxDsg3fx7/YJ8Y6ymjNppTNa/otL1nelgfo7tOSInL52 wFHQNHV30UGyjWflhQGtuypK2jzbyYQNUvaG7Vv9StJlhFrnfEiAu60418qDe47u 3aMumDVRuj+TeZu9orGsxmR1Avj+GOgiu2/vUc8DDgCoi/f8yNUomxpACKL+eH7b YVAGAl1oF3l7XGbxQTXw =72FK -----END PGP SIGNATURE----- --=_XPcxs22AIqzS_aFuGx0New2--