2017-11-09 Instructure Advisory IAC78000 - Two open redirect issues found in LTI tool handling

simon
Instructure Alumni
Instructure Alumni
0
1503

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2017-11-09
  Description:

Two open redirect issues found in LTI tool handling

  Criticality Level:Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

A victim clicking a malicious link could send data to an attacker’s website.

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

BugCrowd Security Researcher

  Relevant Changesets:

Ensure nil domain is not used to match external tools · instructure/canvas-lms@2e1c33e63c · GitHub

Fix XSS and tool registration endpoint vulnerabilities · instructure/canvs-lms@c64962fd8f · GitHub


Summary:

An open redirect at /courses/:course_id/external_tools/retrieve?url=... was discovered which did not filter URLs like https://domain.com./ with trailing dot. The form with the signed oauth post data is being created and being transmitted to the attacker's web server.


An open redirect at /courses/:course_id/lti/tool_proxy_registration?tool_consumer_url… which could have also been used to create a reflected XSS vulnerability, where a victim had permission to install an LTI tool.

Status:

All systems were patched as of 17:01 MT on 11/8/2017