SECURITY UPDATE |  |
| Release Date: | 2017-11-09 |
| Description: | Two open redirect issues found in LTI tool handling |
| Criticality Level: | Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: | A victim clicking a malicious link could send data to an attacker’s website. |
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | BugCrowd Security Researcher |
| Relevant Changesets: | Ensure nil domain is not used to match external tools · instructure/canvas-lms@2e1c33e63c · GitHub Fix XSS and tool registration endpoint vulnerabilities · instructure/canvs-lms@c64962fd8f · GitHub |
Summary:
An open redirect at /courses/:course_id/external_tools/retrieve?url=... was discovered which did not filter URLs like https://domain.com./ with trailing dot. The form with the signed oauth post data is being created and being transmitted to the attacker's web server.
An open redirect at /courses/:course_id/lti/tool_proxy_registration?tool_consumer_url… which could have also been used to create a reflected XSS vulnerability, where a victim had permission to install an LTI tool.
Status:
All systems were patched as of 17:01 MT on 11/8/2017
