2012-01-25 Instructure Advisory IAC22873 - Admin Cross-Account Password Changing

Document created by jordan@instructure.com on Sep 22, 2015Last modified by Renee Carney on Sep 22, 2015
Version 2Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2012-01-25  (Last update can be found below the document title)
  Description:Admin Cross-Account Password Changing
  Criticality Level:Less Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Manipulation of data
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Internal Instructure Audit
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/f368ba7a3b5ede284238bd563a874d3a782110c8


 

Summary:

A vulnerability was discovered in the functionality that allows account admins to change passwords for users in their account. If there is a user with logins to both account A and account B, an admin with password changing privileges on account A could craft an HTTP request (using curl or a similar tool) that would allow the admin to change the password for that user on account B. The admin would have to discover the login (pseudonym) id for that user on account B first. This could potentially allow a malicious LMS admin to log in as a user under another account, allowing access to their private information on that second account.

 

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.

 

 


Attachments

    Outcomes