Am 21.05.2013 10:40, schrieb Oleksandr Shneyder:
You are right, it is possible, that X2Go Client can be crashed with the wrong output from the server. This issue could (and should) be easily fixed by replacing operator "[n]" with method "value(n)". However, I don't think, that this issue is so dramatic as you described it. Why some one should open a SSH/X2GO connection to "rough" server?
Scenario: DNS server is under the control of an attacker. Requests for "myserver.foobar.com" are answered with the IP of the rogue server.
Obviously, in case of SSH, there should be a fingerprint mismatch warning if the key of myserver.foobar.com is already known, which in case of the X2Go client cannot be overridden by clicking it away. But if it is a first-time connection, there will be a pop-up asking whether the key fingerprint is correct. If the user doesn't pay attention there (and to be honest - which average user does?), it would be possible to connect to a rogue server without wanting to.
-Stefan