2017-11-09 Instructure Advisory IAC78000 - Two open redirect issues found in LTI tool handling

Document created by Simon Williams Employee on Nov 9, 2017Last modified by Simon Williams Employee on Nov 9, 2017
Version 2Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2017-11-09
  Description:

Two open redirect issues found in LTI tool handling

  Criticality Level:Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

A victim clicking a malicious link could send data to an attacker’s website.

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

BugCrowd Security Researcher

  Relevant Changesets:

Ensure nil domain is not used to match external tools · instructure/canvas-lms@2e1c33e63c · GitHub

Fix XSS and tool registration endpoint vulnerabilities · instructure/canvs-lms@c64962fd8f · GitHub


 

Summary:

An open redirect at /courses/:course_id/external_tools/retrieve?url=... was discovered which did not filter URLs like https://domain.com./ with trailing dot. The form with the signed oauth post data is being created and being transmitted to the attacker's web server.


An open redirect at /courses/:course_id/lti/tool_proxy_registration?tool_consumer_url… which could have also been used to create a reflected XSS vulnerability, where a victim had permission to install an LTI tool.

 

Status:

All systems were patched as of 17:01 MT on 11/8/2017

 


Attachments

    Outcomes