Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 9 Sep 2015 05:51:58 -0500
From: Kyle Kelley <rgbkrk@...il.com>
To: Juan Broullón <thebrowfc@...il.com>
Cc: Matthias Bussonnier <bussonniermatthias@...il.com>, oss-security@...ts.openwall.com, 
	"security@...thon.org" <security@...thon.org>, Jonathan Kamens <jkamens@...ntopian.com>
Subject: Re: CVE Request : CSRF in IPython/Jupyter notebook Tree.

Could a CVE still be assigned for this or does Matthias need to re-submit?

On Wed, Sep 2, 2015 at 8:34 AM, Juan Broullón <thebrowfc@...il.com> wrote:

> No worries.
>
> El El mié, 2 sept 2015 a las 15:14, Matthias Bussonnier <
> bussonniermatthias@...il.com> escribió:
>
>> GRaaah I copy pasted the wrong version. I fixed it locally before sending.
>> Sorry, I should send these mails in hurry.
>>
>> On Wed, Sep 2, 2015 at 3:07 PM, Juan Broullón <thebrowfc@...il.com>
>> wrote:
>> > Hey guys,
>> >
>> > Thank you for reporting the issue, but it's a XSS, not a CSRF :)
>> >
>> > Regards, Juan.
>> >
>> > El El mié, 2 sept 2015 a las 15:00, Matthias Bussonnier
>> > <bussonniermatthias@...il.com> escribió:
>> >>
>> >>
>> >> Email addresses of requester: security@...thon.org; rgbkrk@...il.com;
>> >> bussonniermatthias@...il.com; thebrowfc@...il.com;
>> jkamens@...ntopian.com
>> >>
>> >> Software name: IPython notebook / Jupyter notebook
>> >>
>> >> Type of vulnerability: CSRF
>> >>
>> >> Attack outcome: Possible remote execution
>> >> Patches:
>> >>   3.x: `3ab41641cf6fce3860c73d5cf4645aa12e1e5892`
>> >> (
>> https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892
>> )
>> >>   4.0.x: `dd9876381f0ef09873d8c5f6f2063269172331e3`
>> >> (
>> https://github.com/jupyter/notebook/commit/dd9876381f0ef09873d8c5f6f2063269172331e3
>> )
>> >>   4.x: `35f32dd2da804d108a3a3585b69ec3295b2677ed`
>> >> (
>> https://github.com/jupyter/notebook/commit/35f32dd2da804d108a3a3585b69ec3295b2677ed
>> )
>> >>
>> >>
>> >> Affected versions: 0.12 ≤ version ≤ 4.0
>> >>
>> >> (Note, software change name between 3.x and 4.0)
>> >>
>> >> Summary: Local folder name was used in HTML templates without escaping,
>> >> allowing CSRF in said pages by carefully crafting folder name and URL
>> to
>> >> access it.
>> >>
>> >>
>> >> URI with issues:
>> >>
>> >> * GET /tree/**
>> >>
>> >> Mitigations:
>> >>
>> >> Start notebook server with the following flag:
>> >>
>> >> --NotebookApp.jinja_environment_options='{"autoescape":True}'
>> >>
>> >> Or set the following configuration option:
>> >>
>> >> c.NotebookApp.jinja_environment_options = {"autoescape": True}
>> >>
>> >>
>> >> Upgrade to IPython/Jupyter notebook 4.0.5, 4.1 or 3.2.2 once available.
>> >> If using pip,
>> >>
>> >>     pip install --upgrade `ipython[notebook]<4.0`  # for 3.2.2
>> >>     pip install --upgrade notebook # for 4.1
>> >>
>> >>
>> >> For conda:
>> >>
>> >>     conda update conda
>> >>     conda update ipython 'ipython-notebook<4.0' # for 3.2.2
>> >>     conda update notebook # for 4.1 or 4.0.5
>> >>
>> >>
>> >> Vulnerability was found by Juan Broullón, and reported by Jonathan
>> Kamens
>> >> at Quantopian.
>> >>
>> >> Thanks !
>> >> --
>> >> Matthias
>> >>
>> >
>>
>


-- 
Kyle Kelley (@...krk <https://twitter.com/rgbkrk>; lambdaops.com,
developer.rackspace.com)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ