[X2Go-Dev] Bug#819: X2Go Client exposes all (network and local) drives on client-side folder sharing
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Mon Mar 16 14:13:28 CET 2015
Package: x2goclient
Version: 4.0.3.2
Tags: build-win32
Severity: grave
Hi all,
I am not sure if this bug is X2Go Client or X2Go Server related,
because I have no extended access to the site where the below issue
just occurred.
Client:
X2Go Client for Windows (4.0.3.2-20150301)
on Windows 8.1 64bit
Server:
X2Go Server 4.0.1.19
running on Ubuntu 10.04
Session Type: GNOMEv2 desktop session
The windows machine is hooked into a network, i.e. the Windows's users
%HOMEDRIVE% is on a server-side share, there are also several other
network drives available. (as drive letters).
The user (a customer of mine) tried to directly share the "Documents"
folder with the running X2Go session and then this SSHFS mount
appeared on the X2Go Server's side:
~user/media/disk/_cygdrive_
This "_cygdrive_" folder contained letters (one drive letter per
available network drive).
From there on you could browse all drive letters and sub-directories
available on the client-side MS Windows machine. Thus, exposing all
sorts of drive letters and their subfolders to the X2Go session.
!!! This must be considered as a severe data security breach. !!!
minor side issue: Furthermore, client-side shared folders hosted on
network drives appeared in the X2Go session, but were not accessible
by the user running the X2Go session (marked by a read cross and a
padlock).
Greets,
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20150316/bfd6e0a0/attachment.pgp>
More information about the x2go-dev
mailing list