2012-11-26 Instructure Advisory IAC44596 - Clickjacking Vulnerability

Document created by jordan@instructure.com on Sep 22, 2015Last modified by Renee Carney on Sep 22, 2015
Version 2Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2012-11-26  (Last update can be found below the document title)
  Description:Clickjacking Vulnerability
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Potential for an attacker to deceive users into performing actions by crafting a malicious third party web page
  Systems Affected:Canvas LMS
  Solution Status:Fixed in Canvas Cloud
  Discovered By:Himanshu Kumar Das
  Relevant Changesets:

Canvas: https://github.com/instructure/canvas-lms/commit/6ec1f7097348a936f3fa73ff5652c7071f8441bf


 

Summary:

Because Canvas was not protecting itself against being embedded in an iframe on another domain, it was possible for an attacker to craft a clickjacking attack (https://www.owasp.org/index.php/Clickjacking), tricking a user into performing an action in Canvas unintentionally.

 

Status:

Fixed in Canvas Cloud. Canvas CV users are encouraged to either update to the most recent stable code, apply the patch manually, or run the following command in a script/console session and restart canvas web processes:

Setting.set('block_html_frames', 'true')

 

 


Attachments

    Outcomes