rdpx icon indicating copy to clipboard operation
rdpx copied to clipboard

Published 20 hours ago verified publisher icon kimmknight

[Security] Any user can edit RemoteApps

Open sashaqwert opened this issue 3 years ago • 2 comments

I have several accounts without administrator rights. Some of these accounts do not have RDP access and have a very simple password.

I decided to try to log into the Web interface under such an account and was able to edit the RemoteApp list (as if I were an administrator).

Please add a check for user rights so that users without administrator rights can only download RDP files and use the WEB channel.

sashaqwert avatar Jun 02 '21 07:06 sashaqwert

Correct. The authentication does not check the user's group membership.

This most certainly needs to go on the todo list!

Ideally, I'd like it to check whether the user is a member of either:

Administrators Remote Desktop Users

kimmknight avatar Jun 08 '21 06:06 kimmknight

Correct. The authentication does not check the user's group membership.

This most certainly needs to go on the todo list!

Ideally, I'd like it to check whether the user is a member of either:

Administrators Remote Desktop Users

please allow to specify a seperate group

boyfromgermany avatar Dec 19 '21 10:12 boyfromgermany