What was the "offlist" message he was referring to? Cause yeah, he sounds pretty new here with that kind of message. People bring in outside conversations all the time, especially if they feel it is relevant to the topic at hand.
Speaking of the topic at hand: I agree with the crowd that says it is not explicitly a security bug, but more like a lack of a good feature. It should be off by default, and someone on the list already made a patch to remove the clipboard which you shouldn't be using for sensitive information while connected to untrustworthy computers anyways. The developers should be notified that they need the feature to turn clipboard sharing off, but if they don't choose a different vnc and be on your way. I don't view it as a security bug because its policy bug. It's not something where "this problem exists ergo I can exploit it", its a problem where "if they do something stupid, I can take advantage of it, and oh hey their client by default doesn't mitigate this." And before someone yells at me for how I seperate software bugs and policy bugs by pointing out something like a client side attack: I view such things as a mix. Policy bug that they are falling for it, and software bug for the actual exploit. And really this is a good example of a situation where if you are worried about this you have bigger problems. Why must you use vnc? Why is what you're connecting to untrustworthy? What information is directly at risk if the box you're connecting to is compromised? What information is indirectly at risk? Does the box running suspicious programs have access to the internet? Etc. Once you start going down the list on things that should be done, the need to worry about this kind of bug becomes less and less relevant. Meaning if this kind of problem IS relevant then I would almost bet money that you are doing other things really wrong and so an attacker or a bad app doesn't need to use this because they got far more easier and more rewarding things to try. On Jan 25, 2012 9:45 AM, "coderman" <coder...@gmail.com> wrote: > On Wed, Jan 25, 2012 at 2:55 AM, Ben Bucksch <n...@bucksch.org> wrote: > > Dear coderman, > > > > posting mails that were explicitly marked "offlist" on the public list is > > no-go. > > you must be new around here... why not let everyone learn from your fail? > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/