oss-sec mailing list archives
Re: CVE Request : CSRF in IPython/Jupyter notebook Tree.
From: Kyle Kelley <rgbkrk () gmail com>
Date: Wed, 9 Sep 2015 05:51:58 -0500
Could a CVE still be assigned for this or does Matthias need to re-submit? On Wed, Sep 2, 2015 at 8:34 AM, Juan Broullón <thebrowfc () gmail com> wrote:
No worries. El El mié, 2 sept 2015 a las 15:14, Matthias Bussonnier < bussonniermatthias () gmail com> escribió:GRaaah I copy pasted the wrong version. I fixed it locally before sending. Sorry, I should send these mails in hurry. On Wed, Sep 2, 2015 at 3:07 PM, Juan Broullón <thebrowfc () gmail com> wrote:Hey guys, Thank you for reporting the issue, but it's a XSS, not a CSRF :) Regards, Juan. El El mié, 2 sept 2015 a las 15:00, Matthias Bussonnier <bussonniermatthias () gmail com> escribió:Email addresses of requester: security () ipython org; rgbkrk () gmail com; bussonniermatthias () gmail com; thebrowfc () gmail com;jkamens () quantopian comSoftware name: IPython notebook / Jupyter notebook Type of vulnerability: CSRF Attack outcome: Possible remote execution Patches: 3.x: `3ab41641cf6fce3860c73d5cf4645aa12e1e5892` (https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892 )4.0.x: `dd9876381f0ef09873d8c5f6f2063269172331e3` (https://github.com/jupyter/notebook/commit/dd9876381f0ef09873d8c5f6f2063269172331e3 )4.x: `35f32dd2da804d108a3a3585b69ec3295b2677ed` (https://github.com/jupyter/notebook/commit/35f32dd2da804d108a3a3585b69ec3295b2677ed )Affected versions: 0.12 ≤ version ≤ 4.0 (Note, software change name between 3.x and 4.0) Summary: Local folder name was used in HTML templates without escaping, allowing CSRF in said pages by carefully crafting folder name and URLtoaccess it. URI with issues: * GET /tree/** Mitigations: Start notebook server with the following flag: --NotebookApp.jinja_environment_options='{"autoescape":True}' Or set the following configuration option: c.NotebookApp.jinja_environment_options = {"autoescape": True} Upgrade to IPython/Jupyter notebook 4.0.5, 4.1 or 3.2.2 once available. If using pip, pip install --upgrade `ipython[notebook]<4.0` # for 3.2.2 pip install --upgrade notebook # for 4.1 For conda: conda update conda conda update ipython 'ipython-notebook<4.0' # for 3.2.2 conda update notebook # for 4.1 or 4.0.5 Vulnerability was found by Juan Broullón, and reported by JonathanKamensat Quantopian. Thanks ! -- Matthias
-- Kyle Kelley (@rgbkrk <https://twitter.com/rgbkrk>; lambdaops.com, developer.rackspace.com)
Current thread:
- CVE Request : CSRF in IPython/Jupyter notebook Tree. Matthias Bussonnier (Sep 02)
- Re: CVE Request : CSRF in IPython/Jupyter notebook Tree. Juan Broullón (Sep 02)
- Message not available
- Message not available
- Re: CVE Request : CSRF in IPython/Jupyter notebook Tree. Kyle Kelley (Sep 09)
- Message not available
- Re: CVE Request : CSRF in IPython/Jupyter notebook Tree. Juan Broullón (Sep 02)
- Re: CVE Request : CSRF in IPython/Jupyter notebook Tree. cve-assign (Sep 14)