Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 9 Sep 2015 05:51:58 -0500
From: Kyle Kelley <rgbkrk@...il.com>
To: Juan Broullón <thebrowfc@...il.com>
Cc: Matthias Bussonnier <bussonniermatthias@...il.com>, oss-security@...ts.openwall.com, 
	"security@...thon.org" <security@...thon.org>, Jonathan Kamens <jkamens@...ntopian.com>
Subject: Re: CVE Request : CSRF in IPython/Jupyter notebook Tree.

Could a CVE still be assigned for this or does Matthias need to re-submit?

On Wed, Sep 2, 2015 at 8:34 AM, Juan Broullón <thebrowfc@...il.com> wrote:

> No worries.
>
> El El mié, 2 sept 2015 a las 15:14, Matthias Bussonnier <
> bussonniermatthias@...il.com> escribió:
>
>> GRaaah I copy pasted the wrong version. I fixed it locally before sending.
>> Sorry, I should send these mails in hurry.
>>
>> On Wed, Sep 2, 2015 at 3:07 PM, Juan Broullón <thebrowfc@...il.com>
>> wrote:
>> > Hey guys,
>> >
>> > Thank you for reporting the issue, but it's a XSS, not a CSRF :)
>> >
>> > Regards, Juan.
>> >
>> > El El mié, 2 sept 2015 a las 15:00, Matthias Bussonnier
>> > <bussonniermatthias@...il.com> escribió:
>> >>
>> >>
>> >> Email addresses of requester: security@...thon.org; rgbkrk@...il.com;
>> >> bussonniermatthias@...il.com; thebrowfc@...il.com;
>> jkamens@...ntopian.com
>> >>
>> >> Software name: IPython notebook / Jupyter notebook
>> >>
>> >> Type of vulnerability: CSRF
>> >>
>> >> Attack outcome: Possible remote execution
>> >> Patches:
>> >>   3.x: `3ab41641cf6fce3860c73d5cf4645aa12e1e5892`
>> >> (
>> https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892
>> )
>> >>   4.0.x: `dd9876381f0ef09873d8c5f6f2063269172331e3`
>> >> (
>> https://github.com/jupyter/notebook/commit/dd9876381f0ef09873d8c5f6f2063269172331e3
>> )
>> >>   4.x: `35f32dd2da804d108a3a3585b69ec3295b2677ed`
>> >> (
>> https://github.com/jupyter/notebook/commit/35f32dd2da804d108a3a3585b69ec3295b2677ed
>> )
>> >>
>> >>
>> >> Affected versions: 0.12 ≤ version ≤ 4.0
>> >>
>> >> (Note, software change name between 3.x and 4.0)
>> >>
>> >> Summary: Local folder name was used in HTML templates without escaping,
>> >> allowing CSRF in said pages by carefully crafting folder name and URL
>> to
>> >> access it.
>> >>
>> >>
>> >> URI with issues:
>> >>
>> >> * GET /tree/**
>> >>
>> >> Mitigations:
>> >>
>> >> Start notebook server with the following flag:
>> >>
>> >> --NotebookApp.jinja_environment_options='{"autoescape":True}'
>> >>
>> >> Or set the following configuration option:
>> >>
>> >> c.NotebookApp.jinja_environment_options = {"autoescape": True}
>> >>
>> >>
>> >> Upgrade to IPython/Jupyter notebook 4.0.5, 4.1 or 3.2.2 once available.
>> >> If using pip,
>> >>
>> >>     pip install --upgrade `ipython[notebook]<4.0`  # for 3.2.2
>> >>     pip install --upgrade notebook # for 4.1
>> >>
>> >>
>> >> For conda:
>> >>
>> >>     conda update conda
>> >>     conda update ipython 'ipython-notebook<4.0' # for 3.2.2
>> >>     conda update notebook # for 4.1 or 4.0.5
>> >>
>> >>
>> >> Vulnerability was found by Juan Broullón, and reported by Jonathan
>> Kamens
>> >> at Quantopian.
>> >>
>> >> Thanks !
>> >> --
>> >> Matthias
>> >>
>> >
>>
>


-- 
Kyle Kelley (@rgbkrk <https://twitter.com/rgbkrk>; lambdaops.com,
developer.rackspace.com)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.