Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 2 Sep 2015 15:00:25 +0200
From: Matthias Bussonnier <bussonniermatthias@...il.com>
To: oss-security@...ts.openwall.com
Cc: security@...thon.org,
 Kyle Kelley <rgbkrk@...il.com>,
 Jonathan Kamens <jkamens@...ntopian.com>,
 thebrowfc@...il.com
Subject: CVE Request : CSRF in IPython/Jupyter notebook Tree.


Email addresses of requester: security@...thon.org; rgbkrk@...il.com; bussonniermatthias@...il.com; thebrowfc@...il.com; jkamens@...ntopian.com 

Software name: IPython notebook / Jupyter notebook

Type of vulnerability: CSRF

Attack outcome: Possible remote execution
Patches:
  3.x: `3ab41641cf6fce3860c73d5cf4645aa12e1e5892` (https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892)
  4.0.x: `dd9876381f0ef09873d8c5f6f2063269172331e3` (https://github.com/jupyter/notebook/commit/dd9876381f0ef09873d8c5f6f2063269172331e3)
  4.x: `35f32dd2da804d108a3a3585b69ec3295b2677ed` (https://github.com/jupyter/notebook/commit/35f32dd2da804d108a3a3585b69ec3295b2677ed)


Affected versions: 0.12 ≤ version ≤ 4.0

(Note, software change name between 3.x and 4.0)

Summary: Local folder name was used in HTML templates without escaping, allowing CSRF in said pages by carefully crafting folder name and URL to access it.


URI with issues:

* GET /tree/**

Mitigations:

Start notebook server with the following flag:

--NotebookApp.jinja_environment_options='{"autoescape":True}'

Or set the following configuration option:

c.NotebookApp.jinja_environment_options = {"autoescape": True}


Upgrade to IPython/Jupyter notebook 4.0.5, 4.1 or 3.2.2 once available.
If using pip,

    pip install --upgrade `ipython[notebook]<4.0`  # for 3.2.2
    pip install --upgrade notebook # for 4.1


For conda:

    conda update conda
    conda update ipython 'ipython-notebook<4.0' # for 3.2.2
    conda update notebook # for 4.1 or 4.0.5


Vulnerability was found by Juan Broullón, and reported by Jonathan Kamens at Quantopian.

Thanks !
-- 
Matthias

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ