X2Go Bug report logs - #773
DirectRDP: X2Go Client reveals user password in process list if xfreerdp is used

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Thu, 29 Jan 2015 12:15:01 UTC

Severity: grave

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#773; Package x2goclient. (Thu, 29 Jan 2015 12:15:01 GMT) (full text, mbox, link).

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Thu, 29 Jan 2015 12:15:01 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: submit@bugs.x2go.org
Subject: DirectRDP: X2Go Client reveals user password in process list if xfreerdp is used
Date: Thu, 29 Jan 2015 12:10:54 +0000
[Message part 1 (text/plain, inline)]
Package: x2goclient
Severity: grave

When a users uses X2Go Client for directly accessing an RDP Server,  
then one can use the DirectRDP feature.

The DirectRDP features allows wrapping around the rdesktop command or  
the xfreerdp command.

With both wrapper modes, the password is given to the RDP client  
application on the command line.

With rdesktop, the command line ($@) gets rewritten for the process  
list and the password is replaced by XXXXXXXX.

With xfreerdp, the command line stays as is and reveals the RDP user's  
password on the process list of the machine that X2Go Client runs on.

The FreeRDP people have added a command line option --from-stdin to  
xfreerdp 1.0.x for this purpose, that may be an option using in X2Go  
Client. However, I am not sure, if this option survived in xfreerdp  
1.1.x or later (it is not on the xfreerdp man page for  
1.1.0~git<sometime-in-2014> as shipped with Debian jessie.

Mike



-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#773; Package x2goclient. (Fri, 22 Mar 2019 22:10:03 GMT) (full text, mbox, link).

Acknowledgement sent to uli42@gmx.de:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Fri, 22 Mar 2019 22:10:03 GMT) (full text, mbox, link).

Message #10 received at 773@bugs.x2go.org (full text, mbox, reply):

From: Ulrich Sibiller <ulrich.sibiller@gmail.com>
To: 773@bugs.x2go.org
Subject: xfreerdp 2 also XXXXes the password
Date: Fri, 22 Mar 2019 23:08:00 +0100
xfreerdp 2 also XXXXes the password

So with a current version this is a non-issueand can be closed.

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#773; Package x2goclient. (Tue, 26 Mar 2019 13:20:03 GMT) (full text, mbox, link).

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Tue, 26 Mar 2019 13:20:03 GMT) (full text, mbox, link).

Message #15 received at 773@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: uli42@gmx.de, 773@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#773: xfreerdp 2 also XXXXes the password
Date: Tue, 26 Mar 2019 13:19:06 +0000
[Message part 1 (text/plain, inline)]
Control: close -1

On  Fr 22 Mär 2019 23:08:00 CET, Ulrich Sibiller wrote:

> xfreerdp 2 also XXXXes the password
>
> So with a current version this is a non-issueand can be closed.

Thus, closing...
Mike
-- 

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de


[Message part 2 (application/pgp-signature, inline)]

Marked Bug as done Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 773-submit@bugs.x2go.org. (Tue, 26 Mar 2019 13:20:03 GMT) (full text, mbox, link).

Notification sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Bug acknowledged by developer. (Tue, 26 Mar 2019 13:20:03 GMT) (full text, mbox, link).

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#773; Package x2goclient. (Tue, 26 Mar 2019 14:05:02 GMT) (full text, mbox, link).

Acknowledgement sent to Stefan Baur <X2Go-ML-1@baur-itcs.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Tue, 26 Mar 2019 14:05:02 GMT) (full text, mbox, link).

Message #24 received at 773@bugs.x2go.org (full text, mbox, reply):

From: Stefan Baur <X2Go-ML-1@baur-itcs.de>
To: x2go-dev@lists.x2go.org, 773@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#773: Bug#773: xfreerdp 2 also XXXXes the password
Date: Tue, 26 Mar 2019 14:57:11 +0100
[Message part 1 (text/plain, inline)]
Uh, wait a minute.  We're still shipping X2GoClient for distributions
that have an older xfreerdp version in their repository.

Thus, this should not be closed until all supported distros have made
the switch to xfreerdp2.

-Stefan

Am 26.03.19 um 14:19 schrieb Mike Gabriel:
> Control: close -1
> 
> On  Fr 22 Mär 2019 23:08:00 CET, Ulrich Sibiller wrote:
> 
>> xfreerdp 2 also XXXXes the password
>>
>> So with a current version this is a non-issueand can be closed.
> 
> Thus, closing...
> Mike
> 
> _______________________________________________
> x2go-dev mailing list
> x2go-dev@lists.x2go.org
> https://lists.x2go.org/listinfo/x2go-dev
> 


-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243


[signature.asc (application/pgp-signature, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#773; Package x2goclient. (Tue, 26 Mar 2019 16:55:02 GMT) (full text, mbox, link).

Acknowledgement sent to uli42@gmx.de:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Tue, 26 Mar 2019 16:55:02 GMT) (full text, mbox, link).

Message #29 received at 773@bugs.x2go.org (full text, mbox, reply):

From: Ulrich Sibiller <ulrich.sibiller@gmail.com>
To: Stefan Baur <X2Go-ML-1@baur-itcs.de>, 773@bugs.x2go.org
Cc: x2go-dev@lists.x2go.org
Subject: Re: [X2Go-Dev] Bug#773: Bug#773: Bug#773: xfreerdp 2 also XXXXes the password
Date: Tue, 26 Mar 2019 17:51:26 +0100
On Tue, Mar 26, 2019 at 3:09 PM Stefan Baur <X2Go-ML-1@baur-itcs.de> wrote:
>
> Uh, wait a minute.  We're still shipping X2GoClient for distributions
> that have an older xfreerdp version in their repository.
>
> Thus, this should not be closed until all supported distros have made
> the switch to xfreerdp2.

I have xfreerdp 1.0.2 here on Centos 7.6 (freerdp-1.0.2-15.el7.x86_64)
which also XXXes the password:

sibiller  8465  0.0  0.0 260008  4356 pts/3    Sl+  17:48   0:00
xfreerdp -p *** -u sibiller wts

So do we really have distros using an older version?


Uli

Bug archived. Request was from Debbugs Internal Request <owner@bugs.x2go.org> to internal_control@bugs.x2go.org. (Wed, 24 Apr 2019 05:24:01 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 13:41:13 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.