2011-12-13 Instructure Advisory IAC61932 - CSRF attack vector in AJAX JSON responses

Document created by jordan@instructure.com on Sep 22, 2015Last modified by Renee Carney on Sep 22, 2015
Version 2Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2011-12-13  (Last update can be found below the document title)
  Description:CSRF attack vector in AJAX JSON responses
  Criticality Level:Less Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Cross-Site Request Forgery
  • Exposure of Sensitive Information
  Systems Affected:Canvas LMS
  Solution Status:Fixed in the 2011-12-10 release
  Discovered By:Securus Global
  Relevant Changesets:

 

 

https://github.com/instructure/canvas-lms/commit/59e34ded646bb6b55749e1bfbbe9213c1704d320

https://github.com/instructure/canvas-lms/commit/beca2fc493d1624fc68aceab6e0f82b23017f034

https://github.com/instructure/canvas-lms/commit/5babb1dd1f6a5f6a8c46b493213cc2926aafdd22

https://github.com/instructure/canvas-lms/commit/f14f7fc2ba6bbbc773e327dcb7a3d81414fa293d

https://github.com/instructure/canvas-lms/commit/58e0ffe2e848ba7588a61bb0957247f1e03fb8a1

https://github.com/instructure/canvas-lms/commit/dbf30e3388873b1bf87fc5f78d389fdbf50ac82f


 

Summary:

A security audit has identified that Canvas LMS is vulnerable to a cross-site request forgery attack via unprotected JSON responses to various AJAX request calls. This attack could allow a malicious third-party site to steal private information, if a user were to visit that malicious site while logged in to Canvas.

This attack is not possible in the newest releases of major web browsers, but still affects some officially supported browser versions such as previous Safari and Chrome releases.

 

Status:

This vulnerability was fixed in the 2011-12-10 release, by prepending a protective javascript loop to GET request JSON responses.

 

 


Attachments

    Outcomes