CVE request: IPython XSS in JSON error responses

[Kyle Kelley <rgbkrk () gmail com>]

Email addresses of requester: security () ipython org; rgbkrk () gmail com;
khanam () us ibm com
Software name: IPython notebook
Type of vulnerability: XSS
Attack outcome: Remote execution
Patch/issue:
 * Current 3.x release
https://github.com/ipython/ipython/commit/7222bd53ad089a65fd610fab4626f9d0ab47dfce
 * Minor backport to 2.x
https://github.com/ipython/ipython/commit/c2078a53543ed502efd968649fee1125e0eb549c


Affected versions: 2.0 ≤ version ≤ 2.4.1, 3.0 ≤ version ≤ 3.1

Summary: JSON error responses from the IPython notebook REST API contained
URL parameters and were incorrectly reported as text/html instead of
application/json. The error messages included some of these URL params,
resulting in a cross site scripting attack. This affects users on Mozilla
Firefox but not Chromium/Google Chrome.

API paths with issues:

* /api/contents (3.0-3.1)
* /api/notebooks (2.0-2.4, 3.0-3.1)

Mitigations:

Upgrade to IPython 3.2. If using pip,

  pip install --upgrade ipython[notebook]

For conda:

  conda update conda
  conda update ipython ipython-notebook

If you can't upgrade directly,

* Set the content security policy for the API headers of the notebook to
include `default-src 'none'` (
https://ipython.org/ipython-doc/3/whatsnew/version3.html#content-security-policy
)
* Set the content type on API handlers to application/json

Vulnerability was found by Ahmad Khan, Security Engineer at IBM.


-- 
Kyle Kelley (@rgbkrk <https://twitter.com/rgbkrk>; lambdaops.com,
developer.rackspace.com)