[X2Go-Dev] x2go and (none)security

[Oleksandr Shneyder]

Hi Stefan,

I didn't say that is not an issue. I'll fix it as soon as possible (I
think today). I only saying, that in most cases it is very hard or
impossible to use it to hack the client.

regards,
Alex

Am 21.05.2013 11:49, schrieb Stefan Baur:
> Am 21.05.2013 10:40, schrieb Oleksandr Shneyder:
>> You are right, it is possible, that X2Go Client can be crashed with the
>> wrong output from the server. This issue could (and should) be easily
>> fixed by replacing operator "[n]" with method "value(n)". However, I
>> don't think, that this issue is so dramatic as you described it. Why
>> some one should open a SSH/X2GO connection to "rough" server?
> 
> Scenario:
> DNS server is under the control of an attacker.
> Requests for "myserver.foobar.com" are answered with the IP of the rogue
> server.
> 
> Obviously, in case of SSH, there should be a fingerprint mismatch
> warning if the key of myserver.foobar.com is already known, which in
> case of the X2Go client cannot be overridden by clicking it away. But if
> it is a first-time connection, there will be a pop-up asking whether the
> key fingerprint is correct. If the user doesn't pay attention there (and
> to be honest - which average user does?), it would be possible to
> connect to a rogue server without wanting to.
> 
> -Stefan
> _______________________________________________
> X2Go-Dev mailing list
> X2Go-Dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-dev


-- 
Oleksandr Shneyder
Dipl. Informatik
X2go Core Developer Team

email:  oleksandr.shneyder at obviously-nice.de
web: www.obviously-nice.de

--> X2go - everywhere at home

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20130521/4be272d9/attachment.pgp>