From unknown Fri Mar 29 14:11:45 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#258: SECURITY: x2goclient allows clipboard sniffing Reply-To: Christoph Anton Mitterer , 258@bugs.x2go.org Resent-From: Christoph Anton Mitterer Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Mon, 01 Jul 2013 02:48:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: report 258 X-X2Go-PR-Package: x2goclient X-X2Go-PR-Keywords: security Received: via spool by submit@bugs.x2go.org id=B.137264679210712 (code B); Mon, 01 Jul 2013 02:48:02 +0000 Received: (at submit) by bugs.x2go.org; 1 Jul 2013 02:46:32 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED autolearn=ham version=3.3.2 X-Greylist: delayed 469 seconds by postgrey-1.34 at ymir; Mon, 01 Jul 2013 04:46:32 CEST Received: from mailgw01.dd24.net (mailgw01.dd24.net [193.46.215.41]) by ymir (Postfix) with ESMTPS id 319B85DA79 for ; Mon, 1 Jul 2013 04:46:32 +0200 (CEST) Received: from localhost (amavis01.dd24.net [192.168.1.111]) by mailgw01.dd24.net (Postfix) with ESMTP id C88377CC194 for ; Mon, 1 Jul 2013 02:38:43 +0000 (GMT) X-Virus-Scanned: domaindiscount24.com mail filter gateway Received: from mailgw01.dd24.net ([192.168.1.191]) by localhost (amavis01.dd24.net [192.168.1.105]) (amavisd-new, port 10191) with ESMTP id ZbrxJaRO-CAr for ; Mon, 1 Jul 2013 02:38:39 +0000 (GMT) Received: from [192.168.0.102] (host-188-174-220-133.customer.m-online.net [188.174.220.133]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mailgw01.dd24.net (Postfix) with ESMTPSA id E155A7CC16C for ; Mon, 1 Jul 2013 02:38:38 +0000 (GMT) Message-ID: <1372646308.18508.2.camel@heisenberg.scientia.net> From: Christoph Anton Mitterer To: submit@bugs.x2go.org Date: Mon, 01 Jul 2013 04:38:28 +0200 Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.4.4-3 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Package: x2goclient Severity: grave Tags: security Hi. From: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714588 It seems that per default (and I even found no way to disable it) x2goclient (and perhaps other related tools?) transmit the content of the clipboard to the remote host. As this may easily contain passwords or other sensitive information, this is a extremely critical hole. Cheers, Chris.