Date: Tue, 21 Jul 2015 07:50:58 -0400 (EDT) From: cve-assign@...re.org To: rgbkrk@...il.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, khanam@...ibm.com, security@...thon.org Subject: Re: CVE request: IPython CSRF validation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Software name: IPython notebook > Attack outcome: Possible remote execution > Patches: > 2.x: > https://github.com/ipython/ipython/commit/a05fe052a18810e92d9be8c1185952c13fe4e5b0 > 3.x: > https://github.com/ipython/ipython/commit/1415a9710407e7c14900531813c15ba6165f0816 > > POST requests exposed via the IPython REST API are vulnerable to > cross-site request forgery (CSRF). Web pages on different domains can make > non-AJAX POST requests to known IPython URLs, and IPython will honor them. > The user's browser will automatically send IPython cookies along with the > requests. Use CVE-2015-5607. This part of the patch seems unusual, but we haven't researched it at all: host = self.request.headers.get("Host") origin = self.request.headers.get("Origin") # If no header is provided, assume it comes from a script/curl. # We are only concerned with cross-site browser stuff here. if origin is None or host is None: return True Is this a case where it is safe to skip CSRF protection in all situations where the client omits an Origin header? - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVrjG9AAoJEKllVAevmvms5UwH/2hScDKEqZ7YRg+Rrh5GNsZj /EqVTy7VhFSr67xFxE1p/wn8X6UsRs4c4C1BtqGdbFFgh/UHE2X3uFrqeSEX+mWg i5fDE+OGKSZdqK+UM0pazNsEtWCyrvx/5j+zJ7PSL2Jejrc4v81F/UGP83qtY5CC 1cbslombkmi1juKiupm57sQwqCAhVPASrTaQn9LFZyDlcuvpa/93OlGgdKtlyqX4 u77/cDUVQ+RVb0Ivj9EJAJbfjhfdZ8h/BDn8GiAbQ51ADpogTDCpPpIqRN+9/0d1 LAaDDbROGwBc0IdDzlDB8D2sW2z28o/D6tL9U7Kj5xYKsHuXC8PjPkSBaHZ3om8= =jjDB -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ