X2Go Bug report logs - #509
Document NX/X11 security issue: clipboard sniffing

Package: wiki.x2go.org; Maintainer for wiki.x2go.org is x2go-dev@lists.x2go.org;

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Mon, 1 Jul 2013 02:48:02 UTC

Severity: grave

Tags: security

Full log

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

Received: (at submit) by bugs.x2go.org; 1 Jul 2013 02:46:32 +0000
From calestyo@scientia.net  Mon Jul  1 04:46:32 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED
	autolearn=ham version=3.3.2
X-Greylist: delayed 469 seconds by postgrey-1.34 at ymir; Mon, 01 Jul 2013 04:46:32 CEST
Received: from mailgw01.dd24.net (mailgw01.dd24.net [])
	by ymir (Postfix) with ESMTPS id 319B85DA79
	for <submit@bugs.x2go.org>; Mon,  1 Jul 2013 04:46:32 +0200 (CEST)
Received: from localhost (amavis01.dd24.net [])
	by mailgw01.dd24.net (Postfix) with ESMTP id C88377CC194
	for <submit@bugs.x2go.org>; Mon,  1 Jul 2013 02:38:43 +0000 (GMT)
X-Virus-Scanned: domaindiscount24.com mail filter gateway
Received: from mailgw01.dd24.net ([])
	by localhost (amavis01.dd24.net []) (amavisd-new, port 10191)
	with ESMTP id ZbrxJaRO-CAr for <submit@bugs.x2go.org>;
	Mon,  1 Jul 2013 02:38:39 +0000 (GMT)
Received: from [] (host-188-174-220-133.customer.m-online.net [])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by mailgw01.dd24.net (Postfix) with ESMTPSA id E155A7CC16C
	for <submit@bugs.x2go.org>; Mon,  1 Jul 2013 02:38:38 +0000 (GMT)
Message-ID: <1372646308.18508.2.camel@heisenberg.scientia.net>
Subject: SECURITY:  x2goclient allows clipboard sniffing
From: Christoph Anton Mitterer <calestyo@scientia.net>
To: submit@bugs.x2go.org
Date: Mon, 01 Jul 2013 04:38:28 +0200
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.4.4-3 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Package: x2goclient
Severity: grave
Tags: security


From: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714588

It seems that per default (and I even found no way to disable it)
x2goclient (and perhaps other
related tools?) transmit the content of the clipboard to the remote

As this may easily contain passwords or other sensitive information,
this is a extremely
critical hole.


Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Feb 3 13:34:37 2023; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.