2012-11-26 Instructure Advisory IAC44596 - Clickjacking Vulnerability

Document created by jordan@instructure.com on Sep 22, 2015Last modified by Renee Carney on Sep 22, 2015
Version 2Show Document
  • View in full screen mode


Canvas + Logo transparent (WHITE)- 300px.png


  Release Date:2012-11-26  (Last update can be found below the document title)
  Description:Clickjacking Vulnerability
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  • Potential for an attacker to deceive users into performing actions by crafting a malicious third party web page
  Systems Affected:Canvas LMS
  Solution Status:Fixed in Canvas Cloud
  Discovered By:Himanshu Kumar Das
  Relevant Changesets:

Canvas: https://github.com/instructure/canvas-lms/commit/6ec1f7097348a936f3fa73ff5652c7071f8441bf



Because Canvas was not protecting itself against being embedded in an iframe on another domain, it was possible for an attacker to craft a clickjacking attack (https://www.owasp.org/index.php/Clickjacking), tricking a user into performing an action in Canvas unintentionally.



Fixed in Canvas Cloud. Canvas CV users are encouraged to either update to the most recent stable code, apply the patch manually, or run the following command in a script/console session and restart canvas web processes:

Setting.set('block_html_frames', 'true')