SECURITY UPDATE |  |
| Release Date: | 2011-12-13 (Last update can be found below the document title) |
| Description: | CSRF attack vector in AJAX JSON responses |
| Criticality Level: | Less Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: |
|
| Systems Affected: | Canvas LMS |
| Solution Status: | Fixed in the 2011-12-10 release |
| Discovered By: | Securus Global |
| Relevant Changesets: | https://github.com/instructure/canvas-lms/commit/59e34ded646bb6b55749e1bfbbe9213c1704d320 https://github.com/instructure/canvas-lms/commit/beca2fc493d1624fc68aceab6e0f82b23017f034 https://github.com/instructure/canvas-lms/commit/5babb1dd1f6a5f6a8c46b493213cc2926aafdd22 https://github.com/instructure/canvas-lms/commit/f14f7fc2ba6bbbc773e327dcb7a3d81414fa293d https://github.com/instructure/canvas-lms/commit/58e0ffe2e848ba7588a61bb0957247f1e03fb8a1 https://github.com/instructure/canvas-lms/commit/dbf30e3388873b1bf87fc5f78d389fdbf50ac82f |
Summary:
A security audit has identified that Canvas LMS is vulnerable to a cross-site request forgery attack via unprotected JSON responses to various AJAX request calls. This attack could allow a malicious third-party site to steal private information, if a user were to visit that malicious site while logged in to Canvas.
This attack is not possible in the newest releases of major web browsers, but still affects some officially supported browser versions such as previous Safari and Chrome releases.
Status:
This vulnerability was fixed in the 2011-12-10 release, by prepending a protective javascript loop to GET request JSON responses.
