[X2Go-Dev] Bug#773: DirectRDP: X2Go Client reveals user password in process list if xfreerdp is used
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Thu Jan 29 13:10:54 CET 2015
Package: x2goclient
Severity: grave
When a users uses X2Go Client for directly accessing an RDP Server,
then one can use the DirectRDP feature.
The DirectRDP features allows wrapping around the rdesktop command or
the xfreerdp command.
With both wrapper modes, the password is given to the RDP client
application on the command line.
With rdesktop, the command line ($@) gets rewritten for the process
list and the password is replaced by XXXXXXXX.
With xfreerdp, the command line stays as is and reveals the RDP user's
password on the process list of the machine that X2Go Client runs on.
The FreeRDP people have added a command line option --from-stdin to
xfreerdp 1.0.x for this purpose, that may be an option using in X2Go
Client. However, I am not sure, if this option survived in xfreerdp
1.1.x or later (it is not on the xfreerdp man page for
1.1.0~git<sometime-in-2014> as shipped with Debian jessie.
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20150129/957e3f09/attachment.pgp>
More information about the x2go-dev
mailing list