X2Go Bug report logs - #773
DirectRDP: X2Go Client reveals user password in process list if xfreerdp is used

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Thu, 29 Jan 2015 12:15:01 UTC

Severity: grave

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#773; Package x2goclient. (Thu, 29 Jan 2015 12:15:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Thu, 29 Jan 2015 12:15:01 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: submit@bugs.x2go.org
Subject: DirectRDP: X2Go Client reveals user password in process list if xfreerdp is used
Date: Thu, 29 Jan 2015 12:10:54 +0000
[Message part 1 (text/plain, inline)]
Package: x2goclient
Severity: grave

When a users uses X2Go Client for directly accessing an RDP Server,  
then one can use the DirectRDP feature.

The DirectRDP features allows wrapping around the rdesktop command or  
the xfreerdp command.

With both wrapper modes, the password is given to the RDP client  
application on the command line.

With rdesktop, the command line ($@) gets rewritten for the process  
list and the password is replaced by XXXXXXXX.

With xfreerdp, the command line stays as is and reveals the RDP user's  
password on the process list of the machine that X2Go Client runs on.

The FreeRDP people have added a command line option --from-stdin to  
xfreerdp 1.0.x for this purpose, that may be an option using in X2Go  
Client. However, I am not sure, if this option survived in xfreerdp  
1.1.x or later (it is not on the xfreerdp man page for  
1.1.0~git<sometime-in-2014> as shipped with Debian jessie.

Mike



-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Tue Dec 11 00:03:17 2018; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.