Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 Jun 2015 08:16:03 -0500
From: Kyle Kelley <rgbkrk@...il.com>
To: oss-security@...ts.openwall.com
Cc: security@...thon.org
Subject: CVE request: IPython XSS in JSON error responses

Email addresses of requester: security@...thon.org; rgbkrk@...il.com;
khanam@...ibm.com
Software name: IPython notebook
Type of vulnerability: XSS
Attack outcome: Remote execution
Patch/issue:
 * Current 3.x release
https://github.com/ipython/ipython/commit/7222bd53ad089a65fd610fab4626f9d0ab47dfce
 * Minor backport to 2.x
https://github.com/ipython/ipython/commit/c2078a53543ed502efd968649fee1125e0eb549c


Affected versions: 2.0 ≤ version ≤ 2.4.1, 3.0 ≤ version ≤ 3.1

Summary: JSON error responses from the IPython notebook REST API contained
URL parameters and were incorrectly reported as text/html instead of
application/json. The error messages included some of these URL params,
resulting in a cross site scripting attack. This affects users on Mozilla
Firefox but not Chromium/Google Chrome.

API paths with issues:

* /api/contents (3.0-3.1)
* /api/notebooks (2.0-2.4, 3.0-3.1)

Mitigations:

Upgrade to IPython 3.2. If using pip,

  pip install --upgrade ipython[notebook]

For conda:

  conda update conda
  conda update ipython ipython-notebook

If you can't upgrade directly,

* Set the content security policy for the API headers of the notebook to
include `default-src 'none'` (
https://ipython.org/ipython-doc/3/whatsnew/version3.html#content-security-policy
)
* Set the content type on API handlers to application/json

Vulnerability was found by Ahmad Khan, Security Engineer at IBM.


-- 
Kyle Kelley (@...krk <https://twitter.com/rgbkrk>; lambdaops.com,
developer.rackspace.com)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ