Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 02 Sep 2015 13:07:23 +0000
From: Juan Broullón <thebrowfc@...il.com>
To: Matthias Bussonnier <bussonniermatthias@...il.com>, oss-security@...ts.openwall.com
Cc: security@...thon.org, Kyle Kelley <rgbkrk@...il.com>, 
	Jonathan Kamens <jkamens@...ntopian.com>
Subject: Re: CVE Request : CSRF in IPython/Jupyter notebook Tree.

Hey guys,

Thank you for reporting the issue, but it's a XSS, not a CSRF :)

Regards, Juan.
El El mié, 2 sept 2015 a las 15:00, Matthias Bussonnier <
bussonniermatthias@...il.com> escribió:

>
> Email addresses of requester: security@...thon.org; rgbkrk@...il.com;
> bussonniermatthias@...il.com; thebrowfc@...il.com; jkamens@...ntopian.com
>
> Software name: IPython notebook / Jupyter notebook
>
> Type of vulnerability: CSRF
>
> Attack outcome: Possible remote execution
> Patches:
>   3.x: `3ab41641cf6fce3860c73d5cf4645aa12e1e5892` (
> https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892
> )
>   4.0.x: `dd9876381f0ef09873d8c5f6f2063269172331e3` (
> https://github.com/jupyter/notebook/commit/dd9876381f0ef09873d8c5f6f2063269172331e3
> )
>   4.x: `35f32dd2da804d108a3a3585b69ec3295b2677ed` (
> https://github.com/jupyter/notebook/commit/35f32dd2da804d108a3a3585b69ec3295b2677ed
> )
>
>
> Affected versions: 0.12 ≤ version ≤ 4.0
>
> (Note, software change name between 3.x and 4.0)
>
> Summary: Local folder name was used in HTML templates without escaping,
> allowing CSRF in said pages by carefully crafting folder name and URL to
> access it.
>
>
> URI with issues:
>
> * GET /tree/**
>
> Mitigations:
>
> Start notebook server with the following flag:
>
> --NotebookApp.jinja_environment_options='{"autoescape":True}'
>
> Or set the following configuration option:
>
> c.NotebookApp.jinja_environment_options = {"autoescape": True}
>
>
> Upgrade to IPython/Jupyter notebook 4.0.5, 4.1 or 3.2.2 once available.
> If using pip,
>
>     pip install --upgrade `ipython[notebook]<4.0`  # for 3.2.2
>     pip install --upgrade notebook # for 4.1
>
>
> For conda:
>
>     conda update conda
>     conda update ipython 'ipython-notebook<4.0' # for 3.2.2
>     conda update notebook # for 4.1 or 4.0.5
>
>
> Vulnerability was found by Juan Broullón, and reported by Jonathan Kamens
> at Quantopian.
>
> Thanks !
> --
> Matthias
>
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ