Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Anti-CSRF token is not working in Admin panel #3304

Closed
jhespeter opened this issue Dec 11, 2020 · 2 comments
Closed

Anti-CSRF token is not working in Admin panel #3304

jhespeter opened this issue Dec 11, 2020 · 2 comments
Labels

Comments

@jhespeter
Copy link

jhespeter commented Dec 11, 2020

Bug description

In JupyterHub's Admin panel, the _xsrf token is not working for add/delete user features.
Current mechanism to protect add/delete user features against CSRF attack is solely rely on checking the Referer header value.
Although current referer header examination seems to be strict enough, it could still be bypassed if user is fooled to install malicious browser plugin or there exists any escape techniques.

Expected behaviour

Implement anti-CSRF techniques like Double Submit Cookie, so that JupyterHub could prevent CSRF attack.

Actual behaviour

Even if the _xsrf token is removed the add/delete user requests could still be accepted & processed by server.
That could lead to a possible CSRF attack.

Screen Capture of successfully adding user without _xsrf token
AddUser

Screen Capture of successfully deleting user without _xsrf token
DelUser

How to reproduce

  1. Log in JupyterHub console with admin privilege
  2. Click Control Panel button
  3. Click Admin tab
  4. Click Add User button / Delete User button
  5. Use proxy technique to intercept the packet sent
  6. Modify the packet by removing the _xsrf token
  7. Send the request & see the request is accepted

Your personal set up

  • OS:
    Kubernetes 1.12 + , Helm charts 3.0 + , ubi 7.8+

  • Version(s):
    JupyterHub 1.1.0, Python 3.8

Reference

OWASP - Cross-Site Request Forgery Prevention Cheat Sheet
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie

@jhespeter jhespeter added the bug label Dec 11, 2020
@welcome
Copy link

welcome bot commented Dec 11, 2020

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.
welcome
You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

@carnil
Copy link

carnil commented Apr 29, 2022

CVE-2020-36191 appers to have been assigned for this issue.

@minrk minrk closed this as completed Sep 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants