Date: Mon, 22 Jun 2015 08:16:03 -0500 From: Kyle Kelley <rgbkrk@...il.com> To: oss-security@...ts.openwall.com Cc: security@...thon.org Subject: CVE request: IPython XSS in JSON error responses Email addresses of requester: security@...thon.org; rgbkrk@...il.com; khanam@...ibm.com Software name: IPython notebook Type of vulnerability: XSS Attack outcome: Remote execution Patch/issue: * Current 3.x release https://github.com/ipython/ipython/commit/7222bd53ad089a65fd610fab4626f9d0ab47dfce * Minor backport to 2.x https://github.com/ipython/ipython/commit/c2078a53543ed502efd968649fee1125e0eb549c Affected versions: 2.0 ≤ version ≤ 2.4.1, 3.0 ≤ version ≤ 3.1 Summary: JSON error responses from the IPython notebook REST API contained URL parameters and were incorrectly reported as text/html instead of application/json. The error messages included some of these URL params, resulting in a cross site scripting attack. This affects users on Mozilla Firefox but not Chromium/Google Chrome. API paths with issues: * /api/contents (3.0-3.1) * /api/notebooks (2.0-2.4, 3.0-3.1) Mitigations: Upgrade to IPython 3.2. If using pip, pip install --upgrade ipython[notebook] For conda: conda update conda conda update ipython ipython-notebook If you can't upgrade directly, * Set the content security policy for the API headers of the notebook to include `default-src 'none'` ( https://ipython.org/ipython-doc/3/whatsnew/version3.html#content-security-policy ) * Set the content type on API handlers to application/json Vulnerability was found by Ahmad Khan, Security Engineer at IBM. -- Kyle Kelley (@...krk <https://twitter.com/rgbkrk>; lambdaops.com, developer.rackspace.com)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ