Re: CVE Request : CSRF in IPython/Jupyter notebook Tree.

[Kyle Kelley <rgbkrk () gmail com>]

Could a CVE still be assigned for this or does Matthias need to re-submit?

On Wed, Sep 2, 2015 at 8:34 AM, Juan Broullón <thebrowfc () gmail com> wrote:

> No worries.
>
> El El mié, 2 sept 2015 a las 15:14, Matthias Bussonnier <
> bussonniermatthias () gmail com> escribió:
>
> > GRaaah I copy pasted the wrong version. I fixed it locally before sending.
> > Sorry, I should send these mails in hurry.
> >
> > On Wed, Sep 2, 2015 at 3:07 PM, Juan Broullón <thebrowfc () gmail com>
> > wrote:
> > > Hey guys,
> > >
> > > Thank you for reporting the issue, but it's a XSS, not a CSRF :)
> > >
> > > Regards, Juan.
> > >
> > > El El mié, 2 sept 2015 a las 15:00, Matthias Bussonnier
> > > <bussonniermatthias () gmail com> escribió:
> > > > Email addresses of requester: security () ipython org; rgbkrk () gmail com;
> > > > bussonniermatthias () gmail com; thebrowfc () gmail com;
> > jkamens () quantopian com
> > > > Software name: IPython notebook / Jupyter notebook
> > > >
> > > > Type of vulnerability: CSRF
> > > >
> > > > Attack outcome: Possible remote execution
> > > > Patches:
> > > >   3.x: `3ab41641cf6fce3860c73d5cf4645aa12e1e5892`
> > > > (
> > https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892
> > )
> > > >   4.0.x: `dd9876381f0ef09873d8c5f6f2063269172331e3`
> > > > (
> > https://github.com/jupyter/notebook/commit/dd9876381f0ef09873d8c5f6f2063269172331e3
> > )
> > > >   4.x: `35f32dd2da804d108a3a3585b69ec3295b2677ed`
> > > > (
> > https://github.com/jupyter/notebook/commit/35f32dd2da804d108a3a3585b69ec3295b2677ed
> > )
> > > > Affected versions: 0.12 ≤ version ≤ 4.0
> > > >
> > > > (Note, software change name between 3.x and 4.0)
> > > >
> > > > Summary: Local folder name was used in HTML templates without escaping,
> > > > allowing CSRF in said pages by carefully crafting folder name and URL
> > to
> > > > access it.
> > > >
> > > >
> > > > URI with issues:
> > > >
> > > > * GET /tree/**
> > > >
> > > > Mitigations:
> > > >
> > > > Start notebook server with the following flag:
> > > >
> > > > --NotebookApp.jinja_environment_options='{"autoescape":True}'
> > > >
> > > > Or set the following configuration option:
> > > >
> > > > c.NotebookApp.jinja_environment_options = {"autoescape": True}
> > > >
> > > >
> > > > Upgrade to IPython/Jupyter notebook 4.0.5, 4.1 or 3.2.2 once available.
> > > > If using pip,
> > > >
> > > >     pip install --upgrade `ipython[notebook]<4.0`  # for 3.2.2
> > > >     pip install --upgrade notebook # for 4.1
> > > >
> > > >
> > > > For conda:
> > > >
> > > >     conda update conda
> > > >     conda update ipython 'ipython-notebook<4.0' # for 3.2.2
> > > >     conda update notebook # for 4.1 or 4.0.5
> > > >
> > > >
> > > > Vulnerability was found by Juan Broullón, and reported by Jonathan
> > Kamens
> > > > at Quantopian.
> > > >
> > > > Thanks !
> > > > --
> > > > Matthias


-- 
Kyle Kelley (@rgbkrk <https://twitter.com/rgbkrk>; lambdaops.com,
developer.rackspace.com)