On server login user can hack

Thanks for taking the time to report this bug and helping to make Ubuntu better. Are you experiencing this with gdm or kdm? Which particular version of that package did you notice this with? You can check via 'dpkg -l gdm'. Thanks in advance.

From what I've understood you've done the following :
You are logged in as xy, then choose the "Switch user" option of the session logout box which point you to a new gdm greeter.
At this point you entered a login, pressed enter and choose the "Remote login Via XDMCP" option.
The X server reloaded and you saw the XDMCP box with a Cancel button, clicking on it closed the XDMCP box and instead of reloading gdm and have a clean greeter you were redirected back to tty7 which was the xy's session from where you started.

So if the above is correct, it's not a real security issue as it'd have been if you had been able to login into someone else session which wasn't already opened, the problem is more on why didn't gnome-screesaver started on that session and locked the screen as it should (I wasn't able to reproduce this bug as after clicking on Cancel I was brought back on my Gnome-Screensaver asking for my password).

Is the above correct ?
If yes can you create a blank account and try again, to see if that's a gnome-screensaver configuration issue ?

This problem only occurs if you run Linux Ubuntu straight from the CD.

In your initial comment you mention that you have a password protected account but this is not the case, the user account on the Live CD does not have a password. So since there is no password this is not a bug.