- Advisory ID
- Betroffene Versionen
- 8.0 i586 , 7.2 i586 , 7.1 i586 , CS1.0 i586
A problem was discovered with the default configuration of the kdm display manager in Mandrake Linux. By default, it allows XDMCP connections from any host, which can be used to obtain a login screen on your system remotely. This can be used to get a list of users on that host, as displayed by kdm. It can also be used to circumvent access control mechanisms such as tcpwrappers and root login restrictions on the console and via remote. Solution: To disable remote connections, edit the /etc/X11/xdm/Xaccess file and change the following two lines: * #any host can get a login window * CHOOSER BROADCAST #any indirect host can get a chooser to: Please note that Mandrake Linux 8.1 and 8.2 are not vulnerable to this as newer versions of kdm have a configuration option in the /usr/share/config/kdm/kdmrc file which explicitly have XDMCP support disabled. Also please note that this is only valid if you are running kdm.