Hi Stefan,
I didn't say that is not an issue. I'll fix it as soon as possible (I think today). I only saying, that in most cases it is very hard or impossible to use it to hack the client.
regards, Alex
Am 21.05.2013 11:49, schrieb Stefan Baur:
Am 21.05.2013 10:40, schrieb Oleksandr Shneyder:
You are right, it is possible, that X2Go Client can be crashed with the wrong output from the server. This issue could (and should) be easily fixed by replacing operator "[n]" with method "value(n)". However, I don't think, that this issue is so dramatic as you described it. Why some one should open a SSH/X2GO connection to "rough" server?
Scenario: DNS server is under the control of an attacker. Requests for "myserver.foobar.com" are answered with the IP of the rogue server.
Obviously, in case of SSH, there should be a fingerprint mismatch warning if the key of myserver.foobar.com is already known, which in case of the X2Go client cannot be overridden by clicking it away. But if it is a first-time connection, there will be a pop-up asking whether the key fingerprint is correct. If the user doesn't pay attention there (and to be honest - which average user does?), it would be possible to connect to a rogue server without wanting to.
-Stefan
X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
-- Oleksandr Shneyder Dipl. Informatik X2go Core Developer Team
email: oleksandr.shneyder@obviously-nice.de web: www.obviously-nice.de
--> X2go - everywhere@home