Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 72634

Summary: net-misc/nxserver-freenx: log shows password in clear text
Product: Gentoo Security Reporter: veezi <veezi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal CC: stuart
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description veezi 2004-11-27 07:22:27 UTC 
nxserver-freenx-0.2.4 installation, with logging enabled. Connecting from nxclient with 'Windows' desktop will log the user password in clear text in /tmp/nxserver.log.

It's understood that nxdesktop (Windows RDP) currently does not work, but I think this is a security risk.

Also, not sure since I haven't tried them, this could possibly be true for the commercial versions of nxserver as well.

Reproducible: Always
Steps to Reproduce:
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-11-27 11:18:16 UTC 
nxserver-freenx is currently security-masked because it's very insecure to use. Passwords in verbose logs are just one more vulnerability that shows they didn't do their security homework well :)

I'll regroup this bug with bug 62912 if you don't mind.

*** This bug has been marked as a duplicate of 62912 ***