About Canvas Security Updates
Security updates are posted here.
jordan
Instructure Alumni
Instructure Alumni

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2013-12-30  (Last update can be found below the document title)
  Description:Username Harvesting
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Exposure of Sensitive Information
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

Secure Ideas https://www.secureideas.com/

  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/9c223456101a0cbf975f19af06f5ff17be906c52


Summary:

A username harvesting vulnerability was reported by a third party. This vulnerability could potentially allow an attacker to discover what usernames are valid Canvas accounts, narrowing the required scope of a second attack.

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.


more
0 0 361
jordan
Instructure Alumni
Instructure Alumni

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2013-04-01  (Last update can be found below the document title)
  Description:XSS Attack Vulnerability
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

Exposure of Sensitive Information

Cross Site Scripting

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Kamil Sevi @kamilsevi
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/df9162a6f404ada862fcee37743b8aba2ea53d23


Summary:

A cross-site scripting vulnerability was reported by a third party. This vulnerability could potentially allow an attacker to steal the private information of a user logged in to Canvas.

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.


more
0 0 387
jordan
Instructure Alumni
Instructure Alumni

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2013-03-29  (Last update can be found below the document title)
  Description:PostgreSQL Security Release
  Criticality Level:N/A ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:N/A
  Systems Affected:N/A
  Solution Status:N/A
  Discovered By:N/A
  Relevant Changesets:

N/A


Summary:

The PostgreSQL team will be releasing a security update for all supported versions on April 4th, 2013. The release will fix a "high-exposure" security vulnerability. More information is not publicly available at this time, due to the sensitive nature of the vulnerability.

Instructure is monitoring the situation and will apply the update as soon as it is available, after testing it in a test environment. This post will be updated as more information becomes publicly available. Canvas CV users who are using PostgreSQL are encouraged to monitor the mailing list as well, and upgrade as soon as possible.

http://www.postgresql.org/message-id/CAN1EF+x0dmwMFuJGWuXMiRQtyT1s=Pe95f9gaF=uVCEa=V61fQ@mail.gmail....


more
0 0 428
jordan
Instructure Alumni
Instructure Alumni

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2013-02-11  (Last update can be found below the document title)
  Description:Rails Serialized Attribute, attr_protected and JSON Parsing Vulnerabilities
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

Manipulation of data

Exposure of sensitive information

Arbitrary code execution

Denial of service

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:N/A
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/5af68ea3fa7153107be6a46334761efb5ac0ff61

https://github.com/instructure/canvas-lms/commit/36fa4321f405d670828056b8e17a683ddc656966

https://github.com/instructure/canvas-lms/commit/851adb150b6550ad439b35d0b1d9afd16dc28c3e


Summary:

Multiple vulnerabilities were discovered in the Ruby on Rails 2.x library that Canvas uses. Further information is available at https://groups.google.com/forum/#!forum/rubyonrails-security

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patches manually immediately.

CVE:

CVE-2013-0276, CVE-2013-0277, and CVE-2013-0269


more
0 0 392
jordan
Instructure Alumni
Instructure Alumni

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2013-01-28  (Last update can be found below the document title)
  Description:Code Injection Attack in Rails Library
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

Manipulation of data

Exposure of sensitive information

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:N/A
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/90378ae9b51b8acf0be690bca61f5f1454f3e0fe


Summary:

A JSON parsing vulnerability was discovered in the Ruby on Rails 2.3.x library that Canvas uses. Further information is available at https://groups.google.com/d/topic/rubyonrails-security/1h2DR63ViGo/discussion

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually immediately.

CVE:

CVE-2013-0333


more
0 0 403
jordan
Instructure Alumni
Instructure Alumni

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2013-01-14  (Last update can be found below the document title)
  Description:SQL Query Modification Attack in Rails Library
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Manipulation of data
  • Exposure of sensitive information
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:-
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/784d9bce6dd627364cf2a8156d64128ceb0fad67


Summary:

A JSON parameter parsing vulnerability was discovered in the Ruby on Rails 2.3.x library that Canvas uses. No attack vector against Canvas is verified, but Canvas CV users are still encouraged to update immediately. Further information is available at

https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually immediately.


more
0 0 427
jordan
Instructure Alumni
Instructure Alumni

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2013-01-08  (Last update can be found below the document title)
  Description:Code Injection Attack in Rails Library
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Manipulation of data
  • Exposure of sensitive information
  • Privilege escalation
  • Arbitrary code execution
  • Denial of Service
  Systems Affected: Canvas LMS
  Solution Status:Patch
  Relevant Changesets:

disable XML params parser · instructure/canvas-lms@0e0190f · GitHub 


Summary:

An XML parameter parsing vulnerability was discovered in the Ruby on Rails 2.3.x library that Canvas uses. Canvas does not use XML parameter parsing, but is still vulnerable without the fix applied. Further information is available at https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/...

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually immediately.


more
0 0 423
jordan
Instructure Alumni
Instructure Alumni

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2013-01-03  (Last update can be found below the document title)
  Description:SQL Injection Attack in Rails Library
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Manipulation of data
  • Exposure of sensitive information
  • Privilege escalation
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:-
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/2a1ca6c06065fdb2b048add069a8d2edd64f035f


Summary:

A SQL Injection Vulnerability was discovered in the Ruby on Rails 2.3.x library that Canvas uses. No working exploit against Canvas is known, but users of Canvas CV are still encouraged to apply the patch immediately.

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually immediately.

CVE: CVE-2012-5664


more
0 0 418
jordan
Instructure Alumni
Instructure Alumni

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2012-11-26  (Last update can be found below the document title)
  Description:Clickjacking Vulnerability
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Potential for an attacker to deceive users into performing actions by crafting a malicious third party web page
  Systems Affected:Canvas LMS
  Solution Status:Fixed in Canvas Cloud
  Discovered By:Himanshu Kumar Das
  Relevant Changesets:

Canvas: https://github.com/instructure/canvas-lms/commit/6ec1f7097348a936f3fa73ff5652c7071f8441bf


Summary:

Because Canvas was not protecting itself against being embedded in an iframe on another domain, it was possible for an attacker to craft a clickjacking attack (https://www.owasp.org/index.php/Clickjacking), tricking a user into performing an action in Canvas unintentionally.

Status:

Fixed in Canvas Cloud. Canvas CV users are encouraged to either update to the most recent stable code, apply the patch manually, or run the following command in a script/console session and restart canvas web processes:

Setting.set('block_html_frames', 'true')


more
0 0 486
jordan
Instructure Alumni
Instructure Alumni

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2012-11-26  (Last update can be found below the document title)
  Description:XML Parsing Vulnerability
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Potential for attacker to view sensitive system information
  Systems Affected:Canvas LMS
  Solution Status:Patched in Canvas Cloud
  Discovered By:Securus Global
  Relevant Changesets:

Canvas: N/A

libxml2: http://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f


Summary:

An XML parsing vulnerability was discovered in libxml, the underlying library that Canvas uses for parsing incoming XML (through the Nokogiri Ruby gem). This vulnerability could allow an attacker to view sensitive system information on the application servers.

Because the bug is in libxml, there is no relevant change in Canvas itself. Users of Canvas CV are encouraged to either upgrade to libxml 2.9 or above, or apply the patch listed above manually and build new libxml packages.


more
0 0 392
jordan
Instructure Alumni
Instructure Alumni

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2012-10-15  (Last update can be found below the document title)
  Description:XSS Attack Vulnerability
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Exposure of Sensitive Information
  • Cross Site Scripting
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Kamil Sevi  @kamilsevi
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/a9720f5602aa654d059f4f3c7badeaef5da1f79c


Summary:

A cross-site scripting vulnerability was reported by a third party. This vulnerability could potentially allow an attacker to steal the private information of a user logged in to Canvas.

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.


more
0 0 405
jordan
Instructure Alumni
Instructure Alumni

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2012-06-13  (Last update can be found below the document title)
  Description:SQL Injection Attack in Rails Library
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Manipulation of data
  • Exposure of sensitive information
  • Privilege escalation
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:-
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/6ade80562cd3cbfa804a7ebb06417c5b92c902cf


Summary:

A SQL Injection Vulnerability was discovered in the Ruby on Rails 2.3.x library that Canvas uses. Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries.

More information is available at http://seclists.org/oss-sec/2012/q2/504 .

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually immediately.


more
0 0 410
jordan
Instructure Alumni
Instructure Alumni

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2012-04-17  (Last update can be found below the document title)
  Description:XSS Attack Vulnerabilities
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Exposure of Sensitive Information
  • Cross Site Scripting
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Neal Poole and Nathan Partlan
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/27877a8e611dc3818e9f7bd98be151edbacd760c

https://github.com/instructure/canvas-lms/commit/b78ce5bfe3c23c5afbf6a90d6e6428c6869e5a60

https://github.com/instructure/canvas-lms/commit/634481bfaff49a5a75696d23d4db7e7b8d699148

https://github.com/instructure/canvas-lms/commit/6479b389334d7760aa2573d70c9d49e4813d3520

https://github.com/instructure/canvas-lms/commit/6ceb28a142b33ea99a9912174b5011fe44f92ef5


Summary:

Multiple cross-site scripting and open redirect vulnerabilities were discovered and reported by an independent audit. These vulnerabilities could allow an attacker to steal the private information of a user logged in to Canvas.

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patches manually. Users of Canvas CV are also encouraged to verify that they have a files_domain configured in domain.yml.


more
0 0 424
jordan
Instructure Alumni
Instructure Alumni

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2012-01-25  (Last update can be found below the document title)
  Description:Admin Cross-Account Password Changing
  Criticality Level:Less Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Manipulation of data
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Internal Instructure Audit
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/f368ba7a3b5ede284238bd563a874d3a782110c8


Summary:

A vulnerability was discovered in the functionality that allows account admins to change passwords for users in their account. If there is a user with logins to both account A and account B, an admin with password changing privileges on account A could craft an HTTP request (using curl or a similar tool) that would allow the admin to change the password for that user on account B. The admin would have to discover the login (pseudonym) id for that user on account B first. This could potentially allow a malicious LMS admin to log in as a user under another account, allowing access to their private information on that second account.

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.


more
0 0 644
jordan
Instructure Alumni
Instructure Alumni

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2011-12-13  (Last update can be found below the document title)
  Description:CSRF attack vector in AJAX JSON responses
  Criticality Level:Less Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Cross-Site Request Forgery
  • Exposure of Sensitive Information
  Systems Affected:Canvas LMS
  Solution Status:Fixed in the 2011-12-10 release
  Discovered By:Securus Global
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/59e34ded646bb6b55749e1bfbbe9213c1704d320

https://github.com/instructure/canvas-lms/commit/beca2fc493d1624fc68aceab6e0f82b23017f034

https://github.com/instructure/canvas-lms/commit/5babb1dd1f6a5f6a8c46b493213cc2926aafdd22

https://github.com/instructure/canvas-lms/commit/f14f7fc2ba6bbbc773e327dcb7a3d81414fa293d

https://github.com/instructure/canvas-lms/commit/58e0ffe2e848ba7588a61bb0957247f1e03fb8a1

https://github.com/instructure/canvas-lms/commit/dbf30e3388873b1bf87fc5f78d389fdbf50ac82f


Summary:

A security audit has identified that Canvas LMS is vulnerable to a cross-site request forgery attack via unprotected JSON responses to various AJAX request calls. This attack could allow a malicious third-party site to steal private information, if a user were to visit that malicious site while logged in to Canvas.

This attack is not possible in the newest releases of major web browsers, but still affects some officially supported browser versions such as previous Safari and Chrome releases.

Status:

This vulnerability was fixed in the 2011-12-10 release, by prepending a protective javascript loop to GET request JSON responses.


more
0 0 399
jordan
Instructure Alumni
Instructure Alumni

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2011-11-21  (Last update can be found below the document title)
  Description:

Session Cookie Replay Attack

  Criticality Level:

Less Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )

  Impact:Easier Session Hijacking
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Securus Global
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/4ef50c16d8ac570c2a6c091f5105c5c96194526b


Summary:

A security audit has identified that the "stay logged in" login cookie for a given user will always have the same value, until the user changes their password or performs another similar action. This cookie is also set as a session cookie even when the user doesn't select "stay logged in", though in this case it is not persisted to their local disk.

The impact is that if the user's cookies are stolen, the attacker has the means to log in to Canvas as that user repeatedly, and for an indefinite period of time (until the user changes their password). Note that all communication with Canvas Cloud is over SSL, which makes stealing the user's Canvas cookies much more difficult.

Status:

A modification to Canvas has been developed which makes the "stay logged in" cookie a one-time use token that changes value for every user agent and every authentication. Future development will also place sensitive actions behind a login prompt when the user is authenticated through this token, forcing them to re-authenticate before performing such actions.


more
0 0 424
jordan
Instructure Alumni
Instructure Alumni

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2011-11-17  (Last update can be found below the document title)
  Description:SQL Sanitization Vulnerability
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Manipulation of data
  • Exposure of sensitive information
  • Privilege escalation
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Securus Global
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/2183ac7e1006cbfb49a18780d1de767fd753bd45


Summary:

A security audit has identified a SQL injection attack vector in the file re-ordering capability, available in the users file area and the course/group file areas.

Status:

A fix to properly escape the posted user input has been developed and deployed to Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually immediately.


more
0 0 441