2014-03-03 Instructure Advisory IAC42155 - False Zip File Size Attack

Document created by jordan@instructure.com on Sep 22, 2015Last modified by jordan@instructure.com on Sep 22, 2015
Version 3Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2014-03-03  (Last update can be found below the document title)
  Description:False Zip File Size Attack
  Criticality Level:Less Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Denial of Service
  Systems Affected:

Canvas LMS

  Solution Status:

Patched

  Discovered By:

Mike Naberezny

  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/a3cf4748cc4be17c27030728fdd00f79419a2238


 

Summary:

A malicious user could upload a specially formed zip file in order to bypass Canvas' quota checking and extract much larger files than are meant to be allowed. This attack could potentially be used as a Denial of Service attack vector on job workers, and increase Canvas hosting costs.

 

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.

 

 


Attachments

    Outcomes