On 24/01/2012 19:20, Ben Bucksch wrote:
On 24.01.2012 20:08, Giles Coochey wrote:I have seen this is an often requested featureYes, I understand. It can be highly useful. That's why I proposed to make a "Paste" button in the main toolbar (probably with a keyboard shortcut, too). So, the user would have to press one more button / key (3 actions instead of 2) to for the information to travel to the remote host. Compared to the risk, I think that's an acceptable tradeoff. Please tell me that you have never ever copied a password (or anything else highly sensitive) using the clipboard.
I have done this, and I have understood the risks.
In my personal experience there was a case (a CDE - credit card data environment) where clipboard segregation between remote and local systems was a requirement. It was in this case that Citrix was chosen over other compteting 'remote-application' products because of a feature it had to disable the seamless clipboard functionality.I guess what makes my case and the government agency case different is that for you and others, VNC is typically the primary focus, but here on my machine it's running all the time, I have several test machines with untrusted software running and connected *always*.
I think it is the case on whether this is a security issue depends on whether the VNC viewer in question is a fit tool for what you're using it for. Otherwise others may say it's a feature and not a bug, or at least your bug is my feature. I would see if you could ask them to have it as an optional feature though.
I would confirm that patch functions first - I found it in a thread regarding errors connecting to Mac OS X servers, and from the patch information, it may only stop the clipboard from server to client and not vice versa, but having seen it, I would imagine that you can find all the clipboard functions in the source and pretty much comment out their code.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/