Hi Stefan, I didn't say that is not an issue. I'll fix it as soon as possible (I think today). I only saying, that in most cases it is very hard or impossible to use it to hack the client.
regards, Alex Am 21.05.2013 11:49, schrieb Stefan Baur: > Am 21.05.2013 10:40, schrieb Oleksandr Shneyder: >> You are right, it is possible, that X2Go Client can be crashed with the >> wrong output from the server. This issue could (and should) be easily >> fixed by replacing operator "[n]" with method "value(n)". However, I >> don't think, that this issue is so dramatic as you described it. Why >> some one should open a SSH/X2GO connection to "rough" server? > > Scenario: > DNS server is under the control of an attacker. > Requests for "myserver.foobar.com" are answered with the IP of the rogue > server. > > Obviously, in case of SSH, there should be a fingerprint mismatch > warning if the key of myserver.foobar.com is already known, which in > case of the X2Go client cannot be overridden by clicking it away. But if > it is a first-time connection, there will be a pop-up asking whether the > key fingerprint is correct. If the user doesn't pay attention there (and > to be honest - which average user does?), it would be possible to > connect to a rogue server without wanting to. > > -Stefan > _______________________________________________ > X2Go-Dev mailing list > [email protected] > https://lists.berlios.de/mailman/listinfo/x2go-dev -- Oleksandr Shneyder Dipl. Informatik X2go Core Developer Team email: [email protected] web: www.obviously-nice.de --> X2go - everywhere@home
signature.asc
Description: OpenPGP digital signature
_______________________________________________ X2Go-Dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/x2go-dev
