Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Jul 2015 07:50:58 -0400 (EDT)
From: cve-assign@...re.org
To: rgbkrk@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, khanam@...ibm.com, security@...thon.org
Subject: Re: CVE request: IPython CSRF validation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Software name: IPython notebook
> Attack outcome: Possible remote execution
> Patches:
>   2.x:
> https://github.com/ipython/ipython/commit/a05fe052a18810e92d9be8c1185952c13fe4e5b0
>   3.x:
> https://github.com/ipython/ipython/commit/1415a9710407e7c14900531813c15ba6165f0816
> 
> POST requests exposed via the IPython REST API are vulnerable to
> cross-site request forgery (CSRF). Web pages on different domains can make
> non-AJAX POST requests to known IPython URLs, and IPython will honor them.
> The user's browser will automatically send IPython cookies along with the
> requests.

Use CVE-2015-5607.

This part of the patch seems unusual, but we haven't researched it at all:

  host = self.request.headers.get("Host")
  origin = self.request.headers.get("Origin")

  # If no header is provided, assume it comes from a script/curl.
  # We are only concerned with cross-site browser stuff here.
  if origin is None or host is None:
     return True

Is this a case where it is safe to skip CSRF protection in all
situations where the client omits an Origin header?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVrjG9AAoJEKllVAevmvms5UwH/2hScDKEqZ7YRg+Rrh5GNsZj
/EqVTy7VhFSr67xFxE1p/wn8X6UsRs4c4C1BtqGdbFFgh/UHE2X3uFrqeSEX+mWg
i5fDE+OGKSZdqK+UM0pazNsEtWCyrvx/5j+zJ7PSL2Jejrc4v81F/UGP83qtY5CC
1cbslombkmi1juKiupm57sQwqCAhVPASrTaQn9LFZyDlcuvpa/93OlGgdKtlyqX4
u77/cDUVQ+RVb0Ivj9EJAJbfjhfdZ8h/BDn8GiAbQ51ADpogTDCpPpIqRN+9/0d1
LAaDDbROGwBc0IdDzlDB8D2sW2z28o/D6tL9U7Kj5xYKsHuXC8PjPkSBaHZ3om8=
=jjDB
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ