X2Go Bug report logs - #509
Document NX/X11 security issue: clipboard sniffing

Package: wiki.x2go.org; Maintainer for wiki.x2go.org is x2go-dev@lists.x2go.org;

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Mon, 1 Jul 2013 02:48:02 UTC

Severity: grave

Tags: security

Full log

Message #30 received at 258@bugs.x2go.org (full text, mbox, reply):

Received: (at 258) by bugs.x2go.org; 2 Jul 2013 07:10:19 +0000
From nable.maininbox@googlemail.com  Tue Jul  2 09:10:18 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM,
Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com [])
	by ymir (Postfix) with ESMTPS id 8AFDA5DA79
	for <258@bugs.x2go.org>; Tue,  2 Jul 2013 09:10:18 +0200 (CEST)
Received: by mail-bk0-f44.google.com with SMTP id 6so486465bkj.3
        for <258@bugs.x2go.org>; Tue, 02 Jul 2013 00:10:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20120113;
MIME-Version: 1.0
X-Received: by with SMTP id oc4mr3682910bkb.171.1372749018231;
 Tue, 02 Jul 2013 00:10:18 -0700 (PDT)
Received: by with HTTP; Tue, 2 Jul 2013 00:10:18 -0700 (PDT)
In-Reply-To: <1372728469.11367.26.camel@fermat.scientia.net>
References: <1372646308.18508.2.camel@heisenberg.scientia.net>
Date: Tue, 2 Jul 2013 11:10:18 +0400
Message-ID: <CALxOYEas=OViucXEo50PfORCjcyxfdzNrCiNz7=rNJkohsmQYw@mail.gmail.com>
Subject: Re: [X2Go-Dev] Bug#258: Bug#258: Bug#258: SECURITY: x2goclient allows
 clipboard sniffing
From: Nable 80 <nable.maininbox@googlemail.com>
To: Christoph Anton Mitterer <calestyo@scientia.net>, 258@bugs.x2go.org, x2go-dev@lists.berlios.de
Content-Type: text/plain; charset=ISO-8859-1
Hi, Chris.

> So it directly goes into the local X server?
> Wow... that's awful... like a security nightmare...
Then, you don't use ssh -X/-Y, do you?

> And people don't see x2go (or VNC, or rdp) like a direct access
> to their X server (as in plain X forwarding with xauth and that like).
Why do you think so? Because they have it in window and didn't specify
any option that exactly means 'turn on X11 forwarding'?
After all, I think that it's not a grave issue as most people use X11
forwarding for rather trusted hosts (or just don't care).

One additional note: it's possible to turn on clipboard forwarding in
RDP and VNC (and it's a very useful thing) but AFAIR in most clients
_one have to specify it implicitly_ (and sometimes there's a separate
option that allows some restricted clipboard access, for example:
copying from remote to local but not vise versa). May be someone will
make a patch to implement such options in X2Go.

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Feb 3 12:55:20 2023; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.