oss-sec mailing list archives
CVE request: IPython XSS in JSON error responses
From: Kyle Kelley <rgbkrk () gmail com>
Date: Mon, 22 Jun 2015 08:16:03 -0500
Email addresses of requester: security () ipython org; rgbkrk () gmail com; khanam () us ibm com Software name: IPython notebook Type of vulnerability: XSS Attack outcome: Remote execution Patch/issue: * Current 3.x release https://github.com/ipython/ipython/commit/7222bd53ad089a65fd610fab4626f9d0ab47dfce * Minor backport to 2.x https://github.com/ipython/ipython/commit/c2078a53543ed502efd968649fee1125e0eb549c Affected versions: 2.0 ≤ version ≤ 2.4.1, 3.0 ≤ version ≤ 3.1 Summary: JSON error responses from the IPython notebook REST API contained URL parameters and were incorrectly reported as text/html instead of application/json. The error messages included some of these URL params, resulting in a cross site scripting attack. This affects users on Mozilla Firefox but not Chromium/Google Chrome. API paths with issues: * /api/contents (3.0-3.1) * /api/notebooks (2.0-2.4, 3.0-3.1) Mitigations: Upgrade to IPython 3.2. If using pip, pip install --upgrade ipython[notebook] For conda: conda update conda conda update ipython ipython-notebook If you can't upgrade directly, * Set the content security policy for the API headers of the notebook to include `default-src 'none'` ( https://ipython.org/ipython-doc/3/whatsnew/version3.html#content-security-policy ) * Set the content type on API handlers to application/json Vulnerability was found by Ahmad Khan, Security Engineer at IBM. -- Kyle Kelley (@rgbkrk <https://twitter.com/rgbkrk>; lambdaops.com, developer.rackspace.com)
Current thread:
- CVE request: IPython XSS in JSON error responses Kyle Kelley (Jun 22)
- Re: CVE request: IPython XSS in JSON error responses cve-assign (Jun 22)
- Re: CVE request: IPython XSS in JSON error responses Kyle Kelley (Jun 22)
- Re: CVE request: IPython XSS in JSON error responses cve-assign (Jun 22)