Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 02 Sep 2015 13:07:23 +0000
From: Juan Broullón <thebrowfc@...il.com>
To: Matthias Bussonnier <bussonniermatthias@...il.com>, oss-security@...ts.openwall.com
Cc: security@...thon.org, Kyle Kelley <rgbkrk@...il.com>, 
	Jonathan Kamens <jkamens@...ntopian.com>
Subject: Re: CVE Request : CSRF in IPython/Jupyter notebook Tree.

Hey guys,

Thank you for reporting the issue, but it's a XSS, not a CSRF :)

Regards, Juan.
El El mié, 2 sept 2015 a las 15:00, Matthias Bussonnier <
bussonniermatthias@...il.com> escribió:

>
> Email addresses of requester: security@...thon.org; rgbkrk@...il.com;
> bussonniermatthias@...il.com; thebrowfc@...il.com; jkamens@...ntopian.com
>
> Software name: IPython notebook / Jupyter notebook
>
> Type of vulnerability: CSRF
>
> Attack outcome: Possible remote execution
> Patches:
>   3.x: `3ab41641cf6fce3860c73d5cf4645aa12e1e5892` (
> https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892
> )
>   4.0.x: `dd9876381f0ef09873d8c5f6f2063269172331e3` (
> https://github.com/jupyter/notebook/commit/dd9876381f0ef09873d8c5f6f2063269172331e3
> )
>   4.x: `35f32dd2da804d108a3a3585b69ec3295b2677ed` (
> https://github.com/jupyter/notebook/commit/35f32dd2da804d108a3a3585b69ec3295b2677ed
> )
>
>
> Affected versions: 0.12 ≤ version ≤ 4.0
>
> (Note, software change name between 3.x and 4.0)
>
> Summary: Local folder name was used in HTML templates without escaping,
> allowing CSRF in said pages by carefully crafting folder name and URL to
> access it.
>
>
> URI with issues:
>
> * GET /tree/**
>
> Mitigations:
>
> Start notebook server with the following flag:
>
> --NotebookApp.jinja_environment_options='{"autoescape":True}'
>
> Or set the following configuration option:
>
> c.NotebookApp.jinja_environment_options = {"autoescape": True}
>
>
> Upgrade to IPython/Jupyter notebook 4.0.5, 4.1 or 3.2.2 once available.
> If using pip,
>
>     pip install --upgrade `ipython[notebook]<4.0`  # for 3.2.2
>     pip install --upgrade notebook # for 4.1
>
>
> For conda:
>
>     conda update conda
>     conda update ipython 'ipython-notebook<4.0' # for 3.2.2
>     conda update notebook # for 4.1 or 4.0.5
>
>
> Vulnerability was found by Juan Broullón, and reported by Jonathan Kamens
> at Quantopian.
>
> Thanks !
> --
> Matthias
>
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.