[X2Go-Dev] Bug#287: x2goserver allows to connect to ALL X server sessions by default
David Fuhrmann
fuhrmann_mail at web.de
Wed Aug 7 07:36:18 CEST 2013
Package: x2goserver
Version: 4.0.1.6
Severity: critical
Hi,
I just noticed that x2goserver allows to connect to ALL running X sessions on the target machine, using "connect to local desktop". These might be logged in local users, or NX sessions which were not terminated correctly. This is especially worse in the latter case, as the screen is not locked here, normally.
This is a HUGE security leak, as now all users are able to access data of the other users, and hinder them from working by manipulating current sessions.
Normal remote desktop software should BLOCK such access by default, and only allow it when the user explicitly requested it or configured it so.
More information about the x2go-dev
mailing list