Two open redirect issues found in LTI tool handling
|Criticality Level:||Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )|
A victim clicking a malicious link could send data to an attacker’s website.
|Systems Affected:||Canvas LMS|
BugCrowd Security Researcher
An open redirect at /courses/:course_id/external_tools/retrieve?url=... was discovered which did not filter URLs like https://domain.com./ with trailing dot. The form with the signed oauth post data is being created and being transmitted to the attacker's web server.
An open redirect at /courses/:course_id/lti/tool_proxy_registration?tool_consumer_url… which could have also been used to create a reflected XSS vulnerability, where a victim had permission to install an LTI tool.
All systems were patched as of 17:01 MT on 11/8/2017