oss-sec mailing list archives
Re: CVE request: IPython CSRF validation
From: cve-assign () mitre org
Date: Tue, 21 Jul 2015 07:50:58 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Software name: IPython notebook Attack outcome: Possible remote execution Patches: 2.x: https://github.com/ipython/ipython/commit/a05fe052a18810e92d9be8c1185952c13fe4e5b0 3.x: https://github.com/ipython/ipython/commit/1415a9710407e7c14900531813c15ba6165f0816 POST requests exposed via the IPython REST API are vulnerable to cross-site request forgery (CSRF). Web pages on different domains can make non-AJAX POST requests to known IPython URLs, and IPython will honor them. The user's browser will automatically send IPython cookies along with the requests.
Use CVE-2015-5607. This part of the patch seems unusual, but we haven't researched it at all: host = self.request.headers.get("Host") origin = self.request.headers.get("Origin") # If no header is provided, assume it comes from a script/curl. # We are only concerned with cross-site browser stuff here. if origin is None or host is None: return True Is this a case where it is safe to skip CSRF protection in all situations where the client omits an Origin header? - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVrjG9AAoJEKllVAevmvms5UwH/2hScDKEqZ7YRg+Rrh5GNsZj /EqVTy7VhFSr67xFxE1p/wn8X6UsRs4c4C1BtqGdbFFgh/UHE2X3uFrqeSEX+mWg i5fDE+OGKSZdqK+UM0pazNsEtWCyrvx/5j+zJ7PSL2Jejrc4v81F/UGP83qtY5CC 1cbslombkmi1juKiupm57sQwqCAhVPASrTaQn9LFZyDlcuvpa/93OlGgdKtlyqX4 u77/cDUVQ+RVb0Ivj9EJAJbfjhfdZ8h/BDn8GiAbQ51ADpogTDCpPpIqRN+9/0d1 LAaDDbROGwBc0IdDzlDB8D2sW2z28o/D6tL9U7Kj5xYKsHuXC8PjPkSBaHZ3om8= =jjDB -----END PGP SIGNATURE-----
Current thread:
- CVE request: IPython CSRF validation Kyle Kelley (Jul 12)
- Re: CVE request: IPython CSRF validation cve-assign (Jul 21)
- Re: CVE request: IPython CSRF validation Kyle Kelley (Jul 21)
- Re: CVE request: IPython CSRF validation cve-assign (Jul 21)