X2Go Bug report logs - #509
Document NX/X11 security issue: clipboard sniffing

Package: wiki.x2go.org; Maintainer for wiki.x2go.org is x2go-dev@lists.x2go.org;

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Mon, 1 Jul 2013 02:48:02 UTC

Severity: grave

Tags: security

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#258: [X2Go-Dev] Bug#258: Bug#258: Bug#258: SECURITY: x2goclient allows clipboard sniffing
Reply-To: Nable 80 <nable.maininbox@googlemail.com>, 258@bugs.x2go.org
Resent-From: Nable 80 <nable.maininbox@googlemail.com>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Tue, 02 Jul 2013 07:18:02 +0000
Resent-Message-ID: <handler.258.B258.13727490198666@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 258
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: security
Received: via spool by 258-submit@bugs.x2go.org id=B258.13727490198666
          (code B ref 258); Tue, 02 Jul 2013 07:18:02 +0000
Received: (at 258) by bugs.x2go.org; 2 Jul 2013 07:10:19 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM,
	RCVD_IN_DNSWL_BLOCKED,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com [209.85.214.44])
	by ymir (Postfix) with ESMTPS id 8AFDA5DA79
	for <258@bugs.x2go.org>; Tue,  2 Jul 2013 09:10:18 +0200 (CEST)
Received: by mail-bk0-f44.google.com with SMTP id 6so486465bkj.3
        for <258@bugs.x2go.org>; Tue, 02 Jul 2013 00:10:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=/Ni05ZKP8Md5g2pjZmsXttbJEM7gF4bY8KxzxlrSoEw=;
        b=YTyCojcj/qdZ5kJ2faeVaoBRIyWwamYTFMDf9xiDmA7MNO6CXSe1LvMHrXE5wNOnNp
         XYYvnZuCb56BEhE0fYUqUWcWJOGO9Hb0LGq/fzHnN6sCPRK9kvTFwO2zYMzTVpg/d2E/
         mArvLpcNR0tLcnz10QBd8RLxACRAfKt9LHM0979KwgqY++Cv9IhoZ8U50GwUYBfl5J9K
         4s0cKeeSrHj61I9ivyvnsB3lOZZ39tBKFWQnsb2lTkISB8mfDnws2YKd3tfiD1ImTQcc
         p8Dg3i5kAYczAOzO+P5w4iwUbRf/8D1Qd2YSHI1t3x2R+NoYLOtLXW1h1QW5vmUx5Kq5
         5vHQ==
MIME-Version: 1.0
X-Received: by 10.205.4.132 with SMTP id oc4mr3682910bkb.171.1372749018231;
 Tue, 02 Jul 2013 00:10:18 -0700 (PDT)
Received: by 10.204.235.194 with HTTP; Tue, 2 Jul 2013 00:10:18 -0700 (PDT)
In-Reply-To: <1372728469.11367.26.camel@fermat.scientia.net>
References: <1372646308.18508.2.camel@heisenberg.scientia.net>
	<20130701114356.GP2447@cip.informatik.uni-erlangen.de>
	<1372682609.25918.14.camel@heisenberg.scientia.net>
	<20130701140132.GQ2447@cip.informatik.uni-erlangen.de>
	<1372728469.11367.26.camel@fermat.scientia.net>
Date: Tue, 2 Jul 2013 11:10:18 +0400
Message-ID: <CALxOYEas=OViucXEo50PfORCjcyxfdzNrCiNz7=rNJkohsmQYw@mail.gmail.com>
From: Nable 80 <nable.maininbox@googlemail.com>
To: Christoph Anton Mitterer <calestyo@scientia.net>, 258@bugs.x2go.org, x2go-dev@lists.berlios.de
Content-Type: text/plain; charset=ISO-8859-1
Hi, Chris.

> So it directly goes into the local X server?
> Wow... that's awful... like a security nightmare...
Then, you don't use ssh -X/-Y, do you?

> And people don't see x2go (or VNC, or rdp) like a direct access
> to their X server (as in plain X forwarding with xauth and that like).
Why do you think so? Because they have it in window and didn't specify
any option that exactly means 'turn on X11 forwarding'?
After all, I think that it's not a grave issue as most people use X11
forwarding for rather trusted hosts (or just don't care).

One additional note: it's possible to turn on clipboard forwarding in
RDP and VNC (and it's a very useful thing) but AFAIR in most clients
_one have to specify it implicitly_ (and sometimes there's a separate
option that allows some restricted clipboard access, for example:
copying from remote to local but not vise versa). May be someone will
make a patch to implement such options in X2Go.

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Mar 28 12:52:58 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.