This is an active exploit and it might be actively utilized. I don't know if this is a proper place to file for it but I find no better place elsewhere after my email got no response in 1 month. I choose to publish it here during the summer break to minimizing the potential impact.
I would suggest publishing a Security Advisories to raise awareness if see fit.
Summary:
canvadoc_session_url could be exploited for unrestricted access to unpublished content.
Steps to reproduce:
Get API access to Canvas as a student to a specific course.
[Optional] Bruteforce finding file ID for a specific course ID. For example: https://canvas.myschool.edu/api/v1/courses/$CourseID/files/$FileID
This step could be optimized with knowledge of the approximate file ID range and/or the keyword in the filename.
Access canvadoc_session_url in the JSON object returned by the API.
Expected behavior:
The canvadoc_session_url should deny access for whoever logged in Canvas as a student if the file is not published.
Actual behavior:
Access to locked/unpublished files is granted to students via canvadoc_session_url. The student will be redirected to a DocViewer under https://canvadocs.instructure.com/
Additional notes:
This exploited might already be fixed in a new version. But please understand different institutions might not be using the same up-to-date version of Canvas as I clearly see different access verification levels from different institutions.
If that is the case, please kindly notify users to update to a minimal version with a feasible fix.
Otherwise, proper permission checking for /api/v1/canvadoc_session should be easy to implement and enforce.
Credits go to @yl4579 for realizing this potential exploit in a tea-time discussion with me.
The text was updated successfully, but these errors were encountered:
Disclaimer
This is an active exploit and it might be actively utilized. I don't know if this is a proper place to file for it but I find no better place elsewhere after my email got no response in 1 month. I choose to publish it here during the summer break to minimizing the potential impact.
I would suggest publishing a
Security Advisoriesto raise awareness if see fit.Summary:
canvadoc_session_urlcould be exploited for unrestricted access to unpublished content.Steps to reproduce:
https://canvas.myschool.edu/api/v1/courses/$CourseID/files/$FileIDcanvadoc_session_urlin the JSON object returned by the API.Expected behavior:
The
canvadoc_session_urlshould deny access for whoever logged in Canvas as a student if the file is not published.Actual behavior:
Access to locked/unpublished files is granted to students via
canvadoc_session_url. The student will be redirected to a DocViewer underhttps://canvadocs.instructure.com/Additional notes:
This exploited might already be fixed in a new version. But please understand different institutions might not be using the same up-to-date version of Canvas as I clearly see different access verification levels from different institutions.
If that is the case, please kindly notify users to update to a minimal version with a feasible fix.
Otherwise, proper permission checking for
/api/v1/canvadoc_sessionshould be easy to implement and enforce.Credits go to @yl4579 for realizing this potential exploit in a tea-time discussion with me.
The text was updated successfully, but these errors were encountered: