Am 21.05.2013 10:40, schrieb Oleksandr Shneyder:
You are right, it is possible, that X2Go Client can be crashed with the
wrong output from the server. This issue could (and should) be easily
fixed by replacing operator "[n]" with method "value(n)". However, I
don't think, that this issue is so dramatic as you described it. Why
some one should open a SSH/X2GO connection to "rough" server?
Scenario:
DNS server is under the control of an attacker.
Requests for "myserver.foobar.com" are answered with the IP of the rogue
server.
Obviously, in case of SSH, there should be a fingerprint mismatch
warning if the key of myserver.foobar.com is already known, which in
case of the X2Go client cannot be overridden by clicking it away. But if
it is a first-time connection, there will be a pop-up asking whether the
key fingerprint is correct. If the user doesn't pay attention there (and
to be honest - which average user does?), it would be possible to
connect to a rogue server without wanting to.
-Stefan
_______________________________________________
X2Go-Dev mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/x2go-dev
