X2Go Bug report logs - #509
Document NX/X11 security issue: clipboard sniffing

Package: wiki.x2go.org; Maintainer for wiki.x2go.org is x2go-dev@lists.x2go.org;

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Mon, 1 Jul 2013 02:48:02 UTC

Severity: grave

Tags: security

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#258: [X2Go-Dev] Bug#258: Bug#258: Bug#258: Bug#258: SECURITY: x2goclient allows clipboard sniffing
Reply-To: Nable 80 <nable.maininbox@googlemail.com>, 258@bugs.x2go.org
Resent-From: Nable 80 <nable.maininbox@googlemail.com>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Tue, 02 Jul 2013 08:03:02 +0000
Resent-Message-ID: <handler.258.B258.137275209524664@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 258
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: security
Received: via spool by 258-submit@bugs.x2go.org id=B258.137275209524664
          (code B ref 258); Tue, 02 Jul 2013 08:03:02 +0000
Received: (at 258) by bugs.x2go.org; 2 Jul 2013 08:01:35 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM,
	RCVD_IN_DNSWL_BLOCKED,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from mail-bk0-f49.google.com (mail-bk0-f49.google.com [209.85.214.49])
	by ymir (Postfix) with ESMTPS id C2BD95DA79
	for <258@bugs.x2go.org>; Tue,  2 Jul 2013 10:01:34 +0200 (CEST)
Received: by mail-bk0-f49.google.com with SMTP id mz10so2104416bkb.8
        for <258@bugs.x2go.org>; Tue, 02 Jul 2013 01:01:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=x1lU4PCUzL7sk58vQbp3HtoUdCXWj2uvN5mrDMowh/U=;
        b=iNK4WCUxrMbZghyg7pFIZ3Ly9mYf93o1c6tVUnhriL+h1B/DacBHAPfy5d2sFowNrB
         BUVwjT69pqMiqbbmiLFiQCnnFIYcvrPaZycrs40YsIFnkLX+xHttMlXwRZkzaP8sYN1t
         hCazZY5EvKGl/Z2igShTP3sp0xFQqN1qyNDyoShAG6Zf4n/XkMwD0HW6MUonHPBpjryS
         VV7RqScRZGPfyUhSwCdI7M656WuFcBJaG1t2ktlSemydQhM7KYeipA+TOtKowBi2csE6
         CBNNEWM5G4gclATKd5oYxW3VP/7GxjQ/AGDFlZpQSDVhYhtbJW37lFAg6lrz1xobNBgy
         TEVw==
MIME-Version: 1.0
X-Received: by 10.204.227.81 with SMTP id iz17mr3550115bkb.157.1372752094358;
 Tue, 02 Jul 2013 01:01:34 -0700 (PDT)
Received: by 10.204.235.194 with HTTP; Tue, 2 Jul 2013 01:01:34 -0700 (PDT)
In-Reply-To: <CALxOYEas=OViucXEo50PfORCjcyxfdzNrCiNz7=rNJkohsmQYw@mail.gmail.com>
References: <1372646308.18508.2.camel@heisenberg.scientia.net>
	<20130701114356.GP2447@cip.informatik.uni-erlangen.de>
	<1372682609.25918.14.camel@heisenberg.scientia.net>
	<20130701140132.GQ2447@cip.informatik.uni-erlangen.de>
	<1372728469.11367.26.camel@fermat.scientia.net>
	<CALxOYEas=OViucXEo50PfORCjcyxfdzNrCiNz7=rNJkohsmQYw@mail.gmail.com>
Date: Tue, 2 Jul 2013 12:01:34 +0400
Message-ID: <CALxOYEZF=mZODbx60G2J=v+xBTLeQyc02AF-nxmvG1LEo2+msw@mail.gmail.com>
From: Nable 80 <nable.maininbox@googlemail.com>
To: Christoph Anton Mitterer <calestyo@scientia.net>, 258@bugs.x2go.org, x2go-dev@lists.berlios.de
Content-Type: text/plain; charset=ISO-8859-1
Sorry, quickfix:
s/implicitly/explicitely/

2013/7/2, Nable 80 <nable.maininbox@googlemail.com>:
> Hi, Chris.
>
>> So it directly goes into the local X server?
>> Wow... that's awful... like a security nightmare...
> Then, you don't use ssh -X/-Y, do you?
>
>> And people don't see x2go (or VNC, or rdp) like a direct access
>> to their X server (as in plain X forwarding with xauth and that like).
> Why do you think so? Because they have it in window and didn't specify
> any option that exactly means 'turn on X11 forwarding'?
> After all, I think that it's not a grave issue as most people use X11
> forwarding for rather trusted hosts (or just don't care).
>
> One additional note: it's possible to turn on clipboard forwarding in
> RDP and VNC (and it's a very useful thing) but AFAIR in most clients
> _one have to specify it implicitly_ (and sometimes there's a separate
> option that allows some restricted clipboard access, for example:
> copying from remote to local but not vise versa). May be someone will
> make a patch to implement such options in X2Go.
> _______________________________________________
> X2Go-Dev mailing list
> X2Go-Dev@lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-dev
>

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 15:14:36 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.